From patchwork Mon Aug  1 09:50:39 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
X-Patchwork-Id: 73097
Delivered-To: patch@linaro.org
Received: by 10.140.29.52 with SMTP id a49csp2608396qga;
 Mon, 1 Aug 2016 02:51:05 -0700 (PDT)
X-Received: by 10.98.71.140 with SMTP id p12mr94237786pfi.93.1470045064967; 
 Mon, 01 Aug 2016 02:51:04 -0700 (PDT)
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 rd11si34345212pac.109.2016.08.01.02.51.04; 
 Mon, 01 Aug 2016 02:51:04 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org; 
 dmarc=pass (p=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1752375AbcHAJvD (ORCPT <rfc822;julien.grall@linaro.org>
 + 27 others); Mon, 1 Aug 2016 05:51:03 -0400
Received: from mail-it0-f47.google.com ([209.85.214.47]:35646 "EHLO
 mail-it0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1751059AbcHAJu6 (ORCPT
 <rfc822;linux-kernel@vger.kernel.org>);
 Mon, 1 Aug 2016 05:50:58 -0400
Received: by mail-it0-f47.google.com with SMTP id u186so242002878ita.0
 for <linux-kernel@vger.kernel.org>;
 Mon, 01 Aug 2016 02:50:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=ITIBt1Q3rE7vhtbqE+5J3l8a0XjNBOxFJ/YqmFSeRpU=;
 b=XjYepfa5FhXhQx9jC3G1zqid5Ps6NMf3mJmFlS3W24SUqVkFFK/qYXDlslKDo5LKdG
 3LTqC96iNy2/453k4PxO3mJeMJF1uYtAtd0tOGrU82KAjz0mV3yiTFDs+UZgG99QHLKc
 kV6G4hrjxRXsqj2zY4Mqw0Zl+X+6IEtisHkhM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=ITIBt1Q3rE7vhtbqE+5J3l8a0XjNBOxFJ/YqmFSeRpU=;
 b=ltmsIuYNXe+Vdh1F/hcLs2ughudDqitAKaKkh6SzheyozTPPL7ZAemtgCLMg4q6P1X
 3YF5faOJMJK/dGUgVKyL9p+jr3cDx7aWKQ9TobjJd7doZh/ZoNo47jhmJM16ny2zSm2u
 WWoQBoY09h8fB6Heyd4WS5CAGNwFAoUiLW7qWWRWAnSvvy77FaUsAI49XCs011YN4hZp
 J8yJ2igzz9vO39xONPmYMMBHboVyU43VmGoZxDhOR11t9YkwNXmeC5Ox1Jg/uL4cpKN+
 KpjheEwd4w/1SZKxVe2hMd/SrmY1F3ArPsxUR0MVtPPvPCRaILY1JCl+vcopHJvtbhvS
 jJTw==
X-Gm-Message-State: AEkooutWI20LmaEfp3bTnbp2H19fhyeAJ1chNBqiKcjuSXFOzGbs+9P0zKQKgWOtRjVNjD8+JmGHEEeN0VYkbV2B
X-Received: by 10.107.41.67 with SMTP id p64mr52787721iop.130.1470045039964; 
 Mon, 01 Aug 2016 02:50:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.204.195 with HTTP; Mon, 1 Aug 2016 02:50:39 -0700 (PDT)
In-Reply-To: <579F197B.80101@zoho.com>
References: <579F197B.80101@zoho.com>
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Mon, 1 Aug 2016 11:50:39 +0200
Message-ID: <CAKv+Gu9QQdncCD_T8+tpdVP8qx=EKM9-PGLvb8J9RNA2qHddFw@mail.gmail.com>
Subject: Re: [PATCH] arm64: fix address fault during mapping fdt region
To: zijun_hu <zijun_hu@zoho.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>,
 Will Deacon <will.deacon@arm.com>, "linux-arm-kernel@lists.infradead.org" 
 <linux-arm-kernel@lists.infradead.org>,
 Mark Rutland <mark.rutland@arm.com>,
 Laura Abbott <labbott@fedoraproject.org>,
 "Suzuki K. Poulose" <suzuki.poulose@arm.com>,
 Jeremy Linton <jeremy.linton@arm.com>, tj@kernel.org,
 "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
 "stable@vger.kernel.org" <stable@vger.kernel.org>,
 Andrew Morton <akpm@linux-foundation.org>, zijun_hu@htc.com
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 1 August 2016 at 11:42, zijun_hu <zijun_hu@zoho.com> wrote:
> From 07b9216ec3494515e7a6c41e0333eb8782427db3 Mon Sep 17 00:00:00 2001
> From: zijun_hu <zijun_hu@htc.com>
> Date: Mon, 1 Aug 2016 17:04:59 +0800
> Subject: [PATCH] arm64: fix address fault during mapping fdt region
>
> fdt_check_header() accesses other fileds of fdt header but
> the first 8 bytes such as version; so accessing unmapped
> address fault happens if fdt region locates below align
> boundary nearly during mapping fdt region, or expressed as
> (offset + sizeof(struct fdt_header)) > SWAPPER_BLOCK_SIZE
>
> fdt header size at least is mapped in order to avoid the issue
>
> Signed-off-by: zijun_hu <zijun_hu@htc.com>
> ---
>  arch/arm64/mm/mmu.c | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
> index 0f85a46..0d72b71 100644
> --- a/arch/arm64/mm/mmu.c
> +++ b/arch/arm64/mm/mmu.c
> @@ -744,6 +744,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
>         const u64 dt_virt_base = __fix_to_virt(FIX_FDT);
>         int offset;
>         void *dt_virt;
> +       int dt_header_map_size;
>
>         /*
>          * Check whether the physical FDT address is set and meets the minimum
> @@ -774,9 +775,18 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
>         offset = dt_phys % SWAPPER_BLOCK_SIZE;
>         dt_virt = (void *)dt_virt_base + offset;
>
> +       /*
> +        * fdt_check_header() maybe access any field of fdt header not
> +        * the first 8 bytes only, so map fdt header size at least for
> +        * checking fdt header without address fault more portably
> +        */
> +       BUILD_BUG_ON(sizeof(struct fdt_header) > SWAPPER_BLOCK_SIZE);
> +       dt_header_map_size = round_up(offset + sizeof(struct fdt_header),
> +                       SWAPPER_BLOCK_SIZE);
> +
>         /* map the first chunk so we can read the size from the header */
>         create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE),
> -                       dt_virt_base, SWAPPER_BLOCK_SIZE, prot);
> +                       dt_virt_base, dt_header_map_size, prot);
>
>         if (fdt_check_header(dt_virt) != 0)
>                 return NULL;
> @@ -785,7 +795,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
>         if (*size > MAX_FDT_SIZE)
>                 return NULL;
>
> -       if (offset + *size > SWAPPER_BLOCK_SIZE)
> +       if (offset + *size > dt_header_map_size)
>                 create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE), dt_virt_base,
>                                round_up(offset + *size, SWAPPER_BLOCK_SIZE), prot);
>

Couldn't we simply do this instead?

        *size = fdt_totalsize(dt_virt);

We are simply looking for a size field. The OF code will call
fdt_check_header() again, so anything that is checked there in
addition to the magic field will still be checked.

-- 
Ard.

diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index 0f85a46c3e18..e8d3b04a2b57 100644
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -778,7 +778,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t
dt_phys, int *size, pgprot_t prot)
        create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE),
                        dt_virt_base, SWAPPER_BLOCK_SIZE, prot);

-       if (fdt_check_header(dt_virt) != 0)
+       if (fdt_magic(dt_virt) != FDT_MAGIC)
                return NULL;