From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56996) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XSQpa-0006q4-EF for qemu-devel@nongnu.org; Fri, 12 Sep 2014 09:24:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XSQpQ-0003xv-Dl for qemu-devel@nongnu.org; Fri, 12 Sep 2014 09:24:06 -0400 Received: from mnementh.archaic.org.uk ([81.2.115.146]:46960) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XSQpQ-0003xI-7I for qemu-devel@nongnu.org; Fri, 12 Sep 2014 09:23:56 -0400 Received: from pm215 by mnementh.archaic.org.uk with local (Exim 4.80) (envelope-from ) id 1XSQpP-0003Yc-M7 for qemu-devel@nongnu.org; Fri, 12 Sep 2014 14:23:55 +0100 From: Peter Maydell Date: Fri, 12 Sep 2014 14:23:52 +0100 Message-Id: <1410528234-13545-22-git-send-email-peter.maydell@linaro.org> In-Reply-To: <1410528234-13545-1-git-send-email-peter.maydell@linaro.org> References: <1410528234-13545-1-git-send-email-peter.maydell@linaro.org> Subject: [Qemu-devel] [PULL 21/23] hw/arm/boot: pass an address limit to and return size from load_dtb() List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org From: Ard Biesheuvel Add an address limit input parameter to load_dtb() so that we can tell load_dtb() how much memory the dtb is allowed to consume. If the dtb doesn't fit, return 0, otherwise return the actual size of the loaded dtb. Reviewed-by: Peter Maydell Signed-off-by: Ard Biesheuvel Message-id: 1410453915-9344-3-git-send-email-ard.biesheuvel@linaro.org Signed-off-by: Peter Maydell --- hw/arm/boot.c | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/hw/arm/boot.c b/hw/arm/boot.c index 50eca93..2083aeb 100644 --- a/hw/arm/boot.c +++ b/hw/arm/boot.c @@ -312,7 +312,26 @@ static void set_kernel_args_old(const struct arm_boot_info *info) } } -static int load_dtb(hwaddr addr, const struct arm_boot_info *binfo) +/** + * load_dtb() - load a device tree binary image into memory + * @addr: the address to load the image at + * @binfo: struct describing the boot environment + * @addr_limit: upper limit of the available memory area at @addr + * + * Load a device tree supplied by the machine or by the user with the + * '-dtb' command line option, and put it at offset @addr in target + * memory. + * + * If @addr_limit contains a meaningful value (i.e., it is strictly greater + * than @addr), the device tree is only loaded if its size does not exceed + * the limit. + * + * Returns: the size of the device tree image on success, + * 0 if the image size exceeds the limit, + * -1 on errors. + */ +static int load_dtb(hwaddr addr, const struct arm_boot_info *binfo, + hwaddr addr_limit) { void *fdt = NULL; int size, rc; @@ -341,6 +360,15 @@ static int load_dtb(hwaddr addr, const struct arm_boot_info *binfo) } } + if (addr_limit > addr && size > (addr_limit - addr)) { + /* Installing the device tree blob at addr would exceed addr_limit. + * Whether this constitutes failure is up to the caller to decide, + * so just return 0 as size, i.e., no error. + */ + g_free(fdt); + return 0; + } + acells = qemu_fdt_getprop_cell(fdt, "/", "#address-cells"); scells = qemu_fdt_getprop_cell(fdt, "/", "#size-cells"); if (acells == 0 || scells == 0) { @@ -403,7 +431,7 @@ static int load_dtb(hwaddr addr, const struct arm_boot_info *binfo) g_free(fdt); - return 0; + return size; fail: g_free(fdt); @@ -572,7 +600,7 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info) */ hwaddr dtb_start = QEMU_ALIGN_UP(info->initrd_start + initrd_size, 4096); - if (load_dtb(dtb_start, info)) { + if (load_dtb(dtb_start, info, 0) < 0) { exit(1); } fixupcontext[FIXUP_ARGPTR] = dtb_start; -- 1.9.1