From patchwork Tue Mar 6 20:43:43 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Clark X-Patchwork-Id: 10262951 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 940336055D for ; Tue, 6 Mar 2018 20:59:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 83F4C29191 for ; Tue, 6 Mar 2018 20:59:53 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 77BAF291A4; Tue, 6 Mar 2018 20:59:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id C218029191 for ; Tue, 6 Mar 2018 20:59:52 +0000 (UTC) Received: from localhost ([::1]:58146 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1etJge-000215-2F for patchwork-qemu-devel@patchwork.kernel.org; Tue, 06 Mar 2018 15:59:52 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46952) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1etJSu-0006CV-Jd for qemu-devel@nongnu.org; Tue, 06 Mar 2018 15:45:41 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1etJSt-0003Rp-EW for qemu-devel@nongnu.org; Tue, 06 Mar 2018 15:45:40 -0500 Received: from mail-pf0-x242.google.com ([2607:f8b0:400e:c00::242]:37959) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1etJSt-0003Re-6m for qemu-devel@nongnu.org; Tue, 06 Mar 2018 15:45:39 -0500 Received: by mail-pf0-x242.google.com with SMTP id d26so9256151pfn.5 for ; Tue, 06 Mar 2018 12:45:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sifive.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=SCFEaP84GKwDlzgbXZzt/iWXmUppXUuf8Xo4cEvxCcU=; b=FBygBTqSAaGwfaaZZ8oy+1XK0UP7S+nz6UpEUYg86WmfDJKk4Zm43xzSxXWvDlW6qR XauUUUatLy7CPxsvAG3KjlddZSsDfHZL4hAbKpJtiaqLMtkwQDnsJAwZ4pIOgwceVfYo LLo1z2VuPhHEDKVVs0aPqvw7s9u4N3U8lptT4MDQtte+s+jDjk2F/D6wPq7I40/x10Mo 2zEor1dRTh/iAymopB6L+gYCjzO6OhTG2M1wIi0qeleFpIs1e4LTatMzd4p+sj3A/EOw QzjsmkuV1g5+qLfLDiGGQ4WBt+8dA3tCw5CAB0ZXuz/Be70aCZ7o0FG1EXA7av5o+erB s7yQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=SCFEaP84GKwDlzgbXZzt/iWXmUppXUuf8Xo4cEvxCcU=; b=tAaMuE5j3ug9tLpfkmrqOpCbbFtREHLHNhXD5NvLYP+HRH2tfWUw9MJrY55LiRZEck 2Yfzsl7b/LNsLJlTc/dzjywm+wuKNgNE1Vw0mBrJkv5jJyuCyAkJG2T2MIBBq8aUme4E PwpmNDL2SyszYdMnMHzThYvIMcWt7rKMEb8eYVp9y+1Ski1oADvcywSaEt7mYkK+r19C M5i/JEel1pB2gJA/TQp+ntDJm5ejbQcbiNrvxro2J46znyv0+Nvqs+XcI8Su/BgSNhEx neOdS+ISZr2O+lNi5pirqLKZ2tsjv5S4ycTgTCbFJJc/UaJY8QxB4aDUm4nAhZEj3oho Il3g== X-Gm-Message-State: APf1xPA+90GQKY+SG8Nm9cyBEZRGZq1TRimymE2z5Veuq5oCbowTSazN 5d4MjV3X0x9db2BMy+R3neZFhHYNL48= X-Google-Smtp-Source: AG47ELsRe+PAa5UtZrX9M50h0rGM4nNUeGo5t6uaPS7xPirZHpgKuaz6f9SoxyRgrQ/FugXPwLn81w== X-Received: by 10.101.73.77 with SMTP id q13mr15921455pgs.336.1520369138065; Tue, 06 Mar 2018 12:45:38 -0800 (PST) Received: from localhost.localdomain (125-237-39-90-fibre.bb.spark.co.nz. [125.237.39.90]) by smtp.gmail.com with ESMTPSA id y6sm39123791pfg.71.2018.03.06.12.45.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 06 Mar 2018 12:45:37 -0800 (PST) From: Michael Clark To: qemu-devel@nongnu.org Date: Wed, 7 Mar 2018 09:43:43 +1300 Message-Id: <1520369037-37977-9-git-send-email-mjc@sifive.com> X-Mailer: git-send-email 2.7.0 In-Reply-To: <1520369037-37977-1-git-send-email-mjc@sifive.com> References: <1520369037-37977-1-git-send-email-mjc@sifive.com> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:400e:c00::242 Subject: [Qemu-devel] [PATCH v1 08/22] RISC-V: Make sure the emulated rom has space for X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bastian Koppelmann , Michael Clark , Palmer Dabbelt , Sagar Karandikar , RISC-V Patches device-tree Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Remove a potential buffer overflow (not seen in practice). Perhaps cpu_physical_memory_write already has bound checks. This change however makes space for the maximum device tree size and adds an explicit bounds check and error message. It doesn't trigger, but it may help in the future if the device-tree size is exceeded. e.g. large bootargs. Signed-off-by: Michael Clark Signed-off-by: Palmer Dabbelt --- hw/riscv/sifive_u.c | 20 ++++++++++++-------- hw/riscv/spike.c | 16 +++++++++++----- hw/riscv/virt.c | 13 +++++++++---- 3 files changed, 32 insertions(+), 17 deletions(-) diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c index 083043a..57b4f4f 100644 --- a/hw/riscv/sifive_u.c +++ b/hw/riscv/sifive_u.c @@ -52,7 +52,7 @@ static const struct MemmapEntry { hwaddr size; } sifive_u_memmap[] = { [SIFIVE_U_DEBUG] = { 0x0, 0x100 }, - [SIFIVE_U_MROM] = { 0x1000, 0x2000 }, + [SIFIVE_U_MROM] = { 0x1000, 0x11000 }, [SIFIVE_U_CLINT] = { 0x2000000, 0x10000 }, [SIFIVE_U_PLIC] = { 0xc000000, 0x4000000 }, [SIFIVE_U_UART0] = { 0x10013000, 0x1000 }, @@ -221,7 +221,7 @@ static void riscv_sifive_u_init(MachineState *machine) const struct MemmapEntry *memmap = sifive_u_memmap; SiFiveUState *s = g_new0(SiFiveUState, 1); - MemoryRegion *sys_memory = get_system_memory(); + MemoryRegion *system_memory = get_system_memory(); MemoryRegion *main_mem = g_new(MemoryRegion, 1); MemoryRegion *mask_rom = g_new(MemoryRegion, 1); @@ -239,7 +239,7 @@ static void riscv_sifive_u_init(MachineState *machine) /* register RAM */ memory_region_init_ram(main_mem, NULL, "riscv.sifive.u.ram", machine->ram_size, &error_fatal); - memory_region_add_subregion(sys_memory, memmap[SIFIVE_U_DRAM].base, + memory_region_add_subregion(system_memory, memmap[SIFIVE_U_DRAM].base, main_mem); /* create device tree */ @@ -247,9 +247,9 @@ static void riscv_sifive_u_init(MachineState *machine) /* boot rom */ memory_region_init_ram(mask_rom, NULL, "riscv.sifive.u.mrom", - memmap[SIFIVE_U_MROM].base, &error_fatal); - memory_region_set_readonly(mask_rom, true); - memory_region_add_subregion(sys_memory, 0x0, mask_rom); + memmap[SIFIVE_U_MROM].size, &error_fatal); + memory_region_add_subregion(system_memory, memmap[SIFIVE_U_MROM].base, + mask_rom); if (machine->kernel_filename) { load_kernel(machine->kernel_filename); @@ -276,6 +276,10 @@ static void riscv_sifive_u_init(MachineState *machine) copy_le32_to_phys(memmap[SIFIVE_U_MROM].base, reset_vec, sizeof(reset_vec)); /* copy in the device tree */ + if (s->fdt_size >= memmap[SIFIVE_U_MROM].size - sizeof(reset_vec)) { + error_report("qemu: not enough space to store device-tree"); + exit(1); + } qemu_fdt_dumpdtb(s->fdt, s->fdt_size); cpu_physical_memory_write(memmap[SIFIVE_U_MROM].base + sizeof(reset_vec), s->fdt, s->fdt_size); @@ -293,9 +297,9 @@ static void riscv_sifive_u_init(MachineState *machine) SIFIVE_U_PLIC_CONTEXT_BASE, SIFIVE_U_PLIC_CONTEXT_STRIDE, memmap[SIFIVE_U_PLIC].size); - sifive_uart_create(sys_memory, memmap[SIFIVE_U_UART0].base, + sifive_uart_create(system_memory, memmap[SIFIVE_U_UART0].base, serial_hds[0], SIFIVE_PLIC(s->plic)->irqs[SIFIVE_U_UART0_IRQ]); - /* sifive_uart_create(sys_memory, memmap[SIFIVE_U_UART1].base, + /* sifive_uart_create(system_memory, memmap[SIFIVE_U_UART1].base, serial_hds[1], SIFIVE_PLIC(s->plic)->irqs[SIFIVE_U_UART1_IRQ]); */ sifive_clint_create(memmap[SIFIVE_U_CLINT].base, memmap[SIFIVE_U_CLINT].size, smp_cpus, diff --git a/hw/riscv/spike.c b/hw/riscv/spike.c index 64e585e..c7d937b 100644 --- a/hw/riscv/spike.c +++ b/hw/riscv/spike.c @@ -46,7 +46,7 @@ static const struct MemmapEntry { hwaddr base; hwaddr size; } spike_memmap[] = { - [SPIKE_MROM] = { 0x1000, 0x2000 }, + [SPIKE_MROM] = { 0x1000, 0x11000 }, [SPIKE_CLINT] = { 0x2000000, 0x10000 }, [SPIKE_DRAM] = { 0x80000000, 0x0 }, }; @@ -197,8 +197,9 @@ static void spike_v1_10_0_board_init(MachineState *machine) /* boot rom */ memory_region_init_ram(mask_rom, NULL, "riscv.spike.mrom", - s->fdt_size + 0x2000, &error_fatal); - memory_region_add_subregion(system_memory, 0x0, mask_rom); + memmap[SPIKE_MROM].size, &error_fatal); + memory_region_add_subregion(system_memory, memmap[SPIKE_MROM].base, + mask_rom); if (machine->kernel_filename) { load_kernel(machine->kernel_filename); @@ -225,6 +226,10 @@ static void spike_v1_10_0_board_init(MachineState *machine) copy_le32_to_phys(memmap[SPIKE_MROM].base, reset_vec, sizeof(reset_vec)); /* copy in the device tree */ + if (s->fdt_size >= memmap[SPIKE_MROM].size - sizeof(reset_vec)) { + error_report("qemu: not enough space to store device-tree"); + exit(1); + } qemu_fdt_dumpdtb(s->fdt, s->fdt_size); cpu_physical_memory_write(memmap[SPIKE_MROM].base + sizeof(reset_vec), s->fdt, s->fdt_size); @@ -266,8 +271,9 @@ static void spike_v1_09_1_board_init(MachineState *machine) /* boot rom */ memory_region_init_ram(mask_rom, NULL, "riscv.spike.mrom", - 0x40000, &error_fatal); - memory_region_add_subregion(system_memory, 0x0, mask_rom); + memmap[SPIKE_MROM].size, &error_fatal); + memory_region_add_subregion(system_memory, memmap[SPIKE_MROM].base, + mask_rom); if (machine->kernel_filename) { load_kernel(machine->kernel_filename); diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c index 5913100..d680cbd 100644 --- a/hw/riscv/virt.c +++ b/hw/riscv/virt.c @@ -45,8 +45,8 @@ static const struct MemmapEntry { hwaddr size; } virt_memmap[] = { [VIRT_DEBUG] = { 0x0, 0x100 }, - [VIRT_MROM] = { 0x1000, 0x2000 }, - [VIRT_TEST] = { 0x4000, 0x1000 }, + [VIRT_MROM] = { 0x1000, 0x11000 }, + [VIRT_TEST] = { 0x100000, 0x1000 }, [VIRT_CLINT] = { 0x2000000, 0x10000 }, [VIRT_PLIC] = { 0xc000000, 0x4000000 }, [VIRT_UART0] = { 0x10000000, 0x100 }, @@ -297,8 +297,9 @@ static void riscv_virt_board_init(MachineState *machine) /* boot rom */ memory_region_init_ram(mask_rom, NULL, "riscv_virt_board.mrom", - s->fdt_size + 0x2000, &error_fatal); - memory_region_add_subregion(system_memory, 0x0, mask_rom); + memmap[VIRT_MROM].size, &error_fatal); + memory_region_add_subregion(system_memory, memmap[VIRT_MROM].base, + mask_rom); if (machine->kernel_filename) { uint64_t kernel_entry = load_kernel(machine->kernel_filename); @@ -336,6 +337,10 @@ static void riscv_virt_board_init(MachineState *machine) copy_le32_to_phys(memmap[VIRT_MROM].base, reset_vec, sizeof(reset_vec)); /* copy in the device tree */ + if (s->fdt_size >= memmap[VIRT_MROM].size - sizeof(reset_vec)) { + error_report("qemu: not enough space to store device-tree"); + exit(1); + } qemu_fdt_dumpdtb(s->fdt, s->fdt_size); cpu_physical_memory_write(memmap[VIRT_MROM].base + sizeof(reset_vec), s->fdt, s->fdt_size);