From patchwork Fri Mar 9 04:12:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Clark X-Patchwork-Id: 10269653 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2DD6D60236 for ; Fri, 9 Mar 2018 04:24:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 180B929C70 for ; Fri, 9 Mar 2018 04:24:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0B0A229CB5; Fri, 9 Mar 2018 04:24:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 587D829C70 for ; Fri, 9 Mar 2018 04:24:57 +0000 (UTC) Received: from localhost ([::1]:43149 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eu9aS-0004GI-Ig for patchwork-qemu-devel@patchwork.kernel.org; Thu, 08 Mar 2018 23:24:56 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55698) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eu9QR-00044e-NA for qemu-devel@nongnu.org; Thu, 08 Mar 2018 23:14:37 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eu9QQ-0006vp-AZ for qemu-devel@nongnu.org; Thu, 08 Mar 2018 23:14:35 -0500 Received: from mail-pl0-x244.google.com ([2607:f8b0:400e:c01::244]:35720) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eu9QQ-0006vP-2x for qemu-devel@nongnu.org; Thu, 08 Mar 2018 23:14:34 -0500 Received: by mail-pl0-x244.google.com with SMTP id w22-v6so4611036pll.2 for ; Thu, 08 Mar 2018 20:14:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sifive.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=0WUlW31X3LYFA5HCImPfRKE4VNH6Gy9yyTrhlUghh28=; b=JFf8VUIsqWv7025Q3n/yxtLTt5jqkf0A4UBE0117b6Xe9Ma71jzoc1/LgDMzU71HBz UoCEnphfqZcekMAcF5toyXulToMRYNtOWp3S+mel6/BgJ034GhAdmZH2EqIxOHhiQKk2 VuJ3eDyV5oBlkHxxg3CCwysBBpRGBGJLjzG0K3VUpxWkRPYKHCe4U2rITKxDOBNIbnNF x53YZ/bH6CGnJuPmwTC2rclPqb9HrBxC2A81bAMHuc9IC6YzqzFjbhaDBT0mXPY3wH4g hPIg7WeM+wRkU30WvNYqAEqdofSShDwhtoYv9MKY3ZJbbasMRpzRTQsRQWB+MScZHt2T MBzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=0WUlW31X3LYFA5HCImPfRKE4VNH6Gy9yyTrhlUghh28=; b=MOVYaV+4HZGaQvhYfcJ6/cfebVVJHNu3fN8qTf7boRJAmQ8qbWqxaMpFX5v+107tay Uw2/H+0aMnNvZ2miOCqNcZg4FDICh5/SHA9O+Og40Xq4MNh/S2sRSV7jyO9mYkfLgGEe oA9VJv29X57hZxrEXlh2zCD+o9ubaMC5O7UO4S61JRT+LgtQIU3DcjkiXbut5Mer9FBs VVAZci1D2cC+yPZR03GECwtDDn2C9izta+UEVKyCC5itBE/stA4jWwyqXJZ8cc0a+vY4 Mjj7H2nWtgDq9ZLs7IpFDARNy3RtEE28cIzwh//3wuut1JqqSeYqtv2+lCup6uhmWskF BQiw== X-Gm-Message-State: APf1xPAXYlxHdUtlpG2E6x/r28WjOQbkcVkGulIBlkXjjT0xNd/e0UME XlLpsLkdMVtPgyp669bdGUtaF/tvgFU= X-Google-Smtp-Source: AG47ELtBuq+n+tpQcNqlQzmaQqbWkHavONGkhOOsIiaLFvTt97ikfxlMC0de6+ivzvovdLQwoVrYRA== X-Received: by 2002:a17:902:44:: with SMTP id 62-v6mr25560201pla.193.1520568873067; Thu, 08 Mar 2018 20:14:33 -0800 (PST) Received: from localhost.localdomain (125-237-39-90-fibre.bb.spark.co.nz. [125.237.39.90]) by smtp.gmail.com with ESMTPSA id h15sm334141pfi.56.2018.03.08.20.14.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 08 Mar 2018 20:14:32 -0800 (PST) From: Michael Clark To: qemu-devel@nongnu.org Date: Fri, 9 Mar 2018 17:12:30 +1300 Message-Id: <1520568765-58189-9-git-send-email-mjc@sifive.com> X-Mailer: git-send-email 2.7.0 In-Reply-To: <1520568765-58189-1-git-send-email-mjc@sifive.com> References: <1520568765-58189-1-git-send-email-mjc@sifive.com> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:400e:c01::244 Subject: [Qemu-devel] [PATCH v2 08/23] RISC-V: Make sure rom has space for fdt X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bastian Koppelmann , Michael Clark , Palmer Dabbelt , Sagar Karandikar Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Remove a potential buffer overflow (not seen in practice). Perhaps cpu_physical_memory_write already has bound checks. This change however makes space for the maximum device tree size and adds an explicit bounds check and error message. It doesn't trigger, but it may help in the future if the device-tree size is exceeded. e.g. large bootargs. Cc: Sagar Karandikar Cc: Bastian Koppelmann Signed-off-by: Michael Clark Signed-off-by: Palmer Dabbelt --- hw/riscv/sifive_u.c | 20 ++++++++++++-------- hw/riscv/spike.c | 16 +++++++++++----- hw/riscv/virt.c | 13 +++++++++---- 3 files changed, 32 insertions(+), 17 deletions(-) diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c index 083043a..57b4f4f 100644 --- a/hw/riscv/sifive_u.c +++ b/hw/riscv/sifive_u.c @@ -52,7 +52,7 @@ static const struct MemmapEntry { hwaddr size; } sifive_u_memmap[] = { [SIFIVE_U_DEBUG] = { 0x0, 0x100 }, - [SIFIVE_U_MROM] = { 0x1000, 0x2000 }, + [SIFIVE_U_MROM] = { 0x1000, 0x11000 }, [SIFIVE_U_CLINT] = { 0x2000000, 0x10000 }, [SIFIVE_U_PLIC] = { 0xc000000, 0x4000000 }, [SIFIVE_U_UART0] = { 0x10013000, 0x1000 }, @@ -221,7 +221,7 @@ static void riscv_sifive_u_init(MachineState *machine) const struct MemmapEntry *memmap = sifive_u_memmap; SiFiveUState *s = g_new0(SiFiveUState, 1); - MemoryRegion *sys_memory = get_system_memory(); + MemoryRegion *system_memory = get_system_memory(); MemoryRegion *main_mem = g_new(MemoryRegion, 1); MemoryRegion *mask_rom = g_new(MemoryRegion, 1); @@ -239,7 +239,7 @@ static void riscv_sifive_u_init(MachineState *machine) /* register RAM */ memory_region_init_ram(main_mem, NULL, "riscv.sifive.u.ram", machine->ram_size, &error_fatal); - memory_region_add_subregion(sys_memory, memmap[SIFIVE_U_DRAM].base, + memory_region_add_subregion(system_memory, memmap[SIFIVE_U_DRAM].base, main_mem); /* create device tree */ @@ -247,9 +247,9 @@ static void riscv_sifive_u_init(MachineState *machine) /* boot rom */ memory_region_init_ram(mask_rom, NULL, "riscv.sifive.u.mrom", - memmap[SIFIVE_U_MROM].base, &error_fatal); - memory_region_set_readonly(mask_rom, true); - memory_region_add_subregion(sys_memory, 0x0, mask_rom); + memmap[SIFIVE_U_MROM].size, &error_fatal); + memory_region_add_subregion(system_memory, memmap[SIFIVE_U_MROM].base, + mask_rom); if (machine->kernel_filename) { load_kernel(machine->kernel_filename); @@ -276,6 +276,10 @@ static void riscv_sifive_u_init(MachineState *machine) copy_le32_to_phys(memmap[SIFIVE_U_MROM].base, reset_vec, sizeof(reset_vec)); /* copy in the device tree */ + if (s->fdt_size >= memmap[SIFIVE_U_MROM].size - sizeof(reset_vec)) { + error_report("qemu: not enough space to store device-tree"); + exit(1); + } qemu_fdt_dumpdtb(s->fdt, s->fdt_size); cpu_physical_memory_write(memmap[SIFIVE_U_MROM].base + sizeof(reset_vec), s->fdt, s->fdt_size); @@ -293,9 +297,9 @@ static void riscv_sifive_u_init(MachineState *machine) SIFIVE_U_PLIC_CONTEXT_BASE, SIFIVE_U_PLIC_CONTEXT_STRIDE, memmap[SIFIVE_U_PLIC].size); - sifive_uart_create(sys_memory, memmap[SIFIVE_U_UART0].base, + sifive_uart_create(system_memory, memmap[SIFIVE_U_UART0].base, serial_hds[0], SIFIVE_PLIC(s->plic)->irqs[SIFIVE_U_UART0_IRQ]); - /* sifive_uart_create(sys_memory, memmap[SIFIVE_U_UART1].base, + /* sifive_uart_create(system_memory, memmap[SIFIVE_U_UART1].base, serial_hds[1], SIFIVE_PLIC(s->plic)->irqs[SIFIVE_U_UART1_IRQ]); */ sifive_clint_create(memmap[SIFIVE_U_CLINT].base, memmap[SIFIVE_U_CLINT].size, smp_cpus, diff --git a/hw/riscv/spike.c b/hw/riscv/spike.c index 64e585e..c7d937b 100644 --- a/hw/riscv/spike.c +++ b/hw/riscv/spike.c @@ -46,7 +46,7 @@ static const struct MemmapEntry { hwaddr base; hwaddr size; } spike_memmap[] = { - [SPIKE_MROM] = { 0x1000, 0x2000 }, + [SPIKE_MROM] = { 0x1000, 0x11000 }, [SPIKE_CLINT] = { 0x2000000, 0x10000 }, [SPIKE_DRAM] = { 0x80000000, 0x0 }, }; @@ -197,8 +197,9 @@ static void spike_v1_10_0_board_init(MachineState *machine) /* boot rom */ memory_region_init_ram(mask_rom, NULL, "riscv.spike.mrom", - s->fdt_size + 0x2000, &error_fatal); - memory_region_add_subregion(system_memory, 0x0, mask_rom); + memmap[SPIKE_MROM].size, &error_fatal); + memory_region_add_subregion(system_memory, memmap[SPIKE_MROM].base, + mask_rom); if (machine->kernel_filename) { load_kernel(machine->kernel_filename); @@ -225,6 +226,10 @@ static void spike_v1_10_0_board_init(MachineState *machine) copy_le32_to_phys(memmap[SPIKE_MROM].base, reset_vec, sizeof(reset_vec)); /* copy in the device tree */ + if (s->fdt_size >= memmap[SPIKE_MROM].size - sizeof(reset_vec)) { + error_report("qemu: not enough space to store device-tree"); + exit(1); + } qemu_fdt_dumpdtb(s->fdt, s->fdt_size); cpu_physical_memory_write(memmap[SPIKE_MROM].base + sizeof(reset_vec), s->fdt, s->fdt_size); @@ -266,8 +271,9 @@ static void spike_v1_09_1_board_init(MachineState *machine) /* boot rom */ memory_region_init_ram(mask_rom, NULL, "riscv.spike.mrom", - 0x40000, &error_fatal); - memory_region_add_subregion(system_memory, 0x0, mask_rom); + memmap[SPIKE_MROM].size, &error_fatal); + memory_region_add_subregion(system_memory, memmap[SPIKE_MROM].base, + mask_rom); if (machine->kernel_filename) { load_kernel(machine->kernel_filename); diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c index 5913100..d680cbd 100644 --- a/hw/riscv/virt.c +++ b/hw/riscv/virt.c @@ -45,8 +45,8 @@ static const struct MemmapEntry { hwaddr size; } virt_memmap[] = { [VIRT_DEBUG] = { 0x0, 0x100 }, - [VIRT_MROM] = { 0x1000, 0x2000 }, - [VIRT_TEST] = { 0x4000, 0x1000 }, + [VIRT_MROM] = { 0x1000, 0x11000 }, + [VIRT_TEST] = { 0x100000, 0x1000 }, [VIRT_CLINT] = { 0x2000000, 0x10000 }, [VIRT_PLIC] = { 0xc000000, 0x4000000 }, [VIRT_UART0] = { 0x10000000, 0x100 }, @@ -297,8 +297,9 @@ static void riscv_virt_board_init(MachineState *machine) /* boot rom */ memory_region_init_ram(mask_rom, NULL, "riscv_virt_board.mrom", - s->fdt_size + 0x2000, &error_fatal); - memory_region_add_subregion(system_memory, 0x0, mask_rom); + memmap[VIRT_MROM].size, &error_fatal); + memory_region_add_subregion(system_memory, memmap[VIRT_MROM].base, + mask_rom); if (machine->kernel_filename) { uint64_t kernel_entry = load_kernel(machine->kernel_filename); @@ -336,6 +337,10 @@ static void riscv_virt_board_init(MachineState *machine) copy_le32_to_phys(memmap[VIRT_MROM].base, reset_vec, sizeof(reset_vec)); /* copy in the device tree */ + if (s->fdt_size >= memmap[VIRT_MROM].size - sizeof(reset_vec)) { + error_report("qemu: not enough space to store device-tree"); + exit(1); + } qemu_fdt_dumpdtb(s->fdt, s->fdt_size); cpu_physical_memory_write(memmap[VIRT_MROM].base + sizeof(reset_vec), s->fdt, s->fdt_size);