From patchwork Wed Aug 31 20:50:18 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Loic PALLARDY X-Patchwork-Id: 9307839 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C458E60865 for ; Wed, 31 Aug 2016 20:54:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B48A6290A4 for ; Wed, 31 Aug 2016 20:54:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A948F290B0; Wed, 31 Aug 2016 20:54:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 31F07290B2 for ; Wed, 31 Aug 2016 20:54:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933888AbcHaUwB (ORCPT ); Wed, 31 Aug 2016 16:52:01 -0400 Received: from mx08-00178001.pphosted.com ([91.207.212.93]:59576 "EHLO mx07-00178001.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S933887AbcHaUv7 (ORCPT ); Wed, 31 Aug 2016 16:51:59 -0400 Received: from pps.filterd (m0046661.ppops.net [127.0.0.1]) by mx08-00178001.pphosted.com (8.16.0.11/8.16.0.11) with SMTP id u7VKnJ7n015771; Wed, 31 Aug 2016 22:51:52 +0200 Received: from beta.dmz-eu.st.com (beta.dmz-eu.st.com [164.129.1.35]) by mx08-.pphosted.com with ESMTP id 255btkb8jq-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 31 Aug 2016 22:51:52 +0200 Received: from zeta.dmz-eu.st.com (zeta.dmz-eu.st.com [164.129.230.9]) by beta.dmz-eu.st.com (STMicroelectronics) with ESMTP id D615E38; Wed, 31 Aug 2016 20:51:51 +0000 (GMT) Received: from Webmail-eu.st.com (Safex1hubcas23.st.com [10.75.90.46]) by zeta.dmz-eu.st.com (STMicroelectronics) with ESMTP id BE62050E2; Wed, 31 Aug 2016 20:51:51 +0000 (GMT) Received: from localhost (10.129.5.21) by webmail-ga.st.com (10.75.90.48) with Microsoft SMTP Server (TLS) id 14.3.279.2; Wed, 31 Aug 2016 22:51:50 +0200 From: Loic Pallardy To: , , CC: , , , Subject: [PATCH v2 15/19] remoteproc: core: Add function to verify resource table consistency Date: Wed, 31 Aug 2016 22:50:18 +0200 Message-ID: <1472676622-32533-16-git-send-email-loic.pallardy@st.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1472676622-32533-1-git-send-email-loic.pallardy@st.com> References: <1472676622-32533-1-git-send-email-loic.pallardy@st.com> MIME-Version: 1.0 X-Originating-IP: [10.129.5.21] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-08-31_04:, , signatures=0 Sender: linux-remoteproc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-remoteproc@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP As resource table could be parsed several times, at different times, to avoid sanity check duplication, let's introduce a new function to verify the complete integrity of one resource table. This new function is called before copying it in cache and accessing it. Signed-off-by: Loic Pallardy --- drivers/remoteproc/remoteproc_core.c | 79 ++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c index 67b83d0..b43553f 100644 --- a/drivers/remoteproc/remoteproc_core.c +++ b/drivers/remoteproc/remoteproc_core.c @@ -791,6 +791,78 @@ static void rproc_resource_cleanup(struct rproc *rproc) rproc_remove_virtio_dev(rvdev); } +static int rproc_rsc_tbl_sanity_check(struct rproc *rproc, + struct resource_table *table_ptr, int len) +{ + struct device *dev = &rproc->dev; + int i; + + if (len < sizeof(*table_ptr)) + goto out; + + for (i = 0; i < table_ptr->num; i++) { + int offset = table_ptr->offset[i]; + struct fw_rsc_hdr *hdr = (void *)table_ptr + offset; + int avail = len - offset - sizeof(*hdr); + void *rsc = (void *)hdr + sizeof(*hdr); + struct fw_rsc_vdev *v; + struct fw_rsc_spare *s; + + /* make sure table isn't truncated */ + if (avail < 0) + goto out; + + if (offset == FW_RSC_ADDR_ANY || offset == 0) { + dev_err(dev, "Entry %d: bad offset value %x\n", i, offset); + return -EINVAL; + } + + dev_dbg(dev, "rsc: type %d\n", hdr->type); + + switch (hdr->type) { + case RSC_CARVEOUT: + avail -= sizeof(struct fw_rsc_carveout); + break; + case RSC_DEVMEM: + avail -= sizeof(struct fw_rsc_devmem); + break; + case RSC_TRACE: + avail -= sizeof(struct fw_rsc_trace); + break; + case RSC_VDEV: + v = rsc; + avail -= sizeof(struct fw_rsc_vdev); + if (avail < 0) + goto out; + + avail -= v->num_of_vrings * sizeof(struct fw_rsc_vdev_vring) + + v->config_len; + break; + case RSC_SPARE: + avail -= sizeof(struct fw_rsc_spare); + if (avail < 0) + goto out; + + s = rsc; + avail -= s->len; + break; + default: + dev_err(&rproc->dev, "Unsupported resource type: %d\n", + hdr->type); + return -EINVAL; + } + if (avail < 0) + goto out; + } + + return 0; + +out: + dev_err(dev, "Invalid resource table format\n"); + dump_stack(); + return -EINVAL; +} + #if defined(DEBUG) static void rproc_dump_resource_table(struct rproc *rproc, struct resource_table *table, int size) @@ -1267,6 +1339,13 @@ static int rproc_fw_boot(struct rproc *rproc, const struct firmware *fw) goto clean_up; } + /* verify resource table consistency */ + ret = rproc_rsc_tbl_sanity_check(rproc, table, tablesz); + if (ret) { + dev_err(dev, "Failed to get valid resource table,%d\n", ret); + goto clean_up; + } + /* * Create a copy of the resource table. When a virtio device starts * and calls vring_new_virtqueue() the address of the allocated vring