The root node is supposed to have an empty name, but at present this is
not checked. The behaviour of such a tree is not well defined. Most
software rightly assumes that the root node is at offset 0 and does not
check the name. This oddity was discovered as part of a security
investigation into U-Boot verified boot.
Add a check for this to fdt_check_full().
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Message-Id: <20210323010410.3222701-2-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present it is possible to have two root nodes and even access nodes
in the 'second' root. Such trees should not be considered valid. This
was discovered as part of a security investigation into U-Boot verified
boot.
Add a check for this to fdt_check_full().
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Message-Id: <20210323000926.3210733-1-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
fdt_num_mem_rsv() and fdt_get_mem_rsv() currently don't sanity check their
parameters, or the memory reserve section offset in the header. That means
that on a corrupted blob they could access outside of the range of memory
that they should.
This improves their safety checking, meaning they shouldn't access outside
the blob's bounds, even if its contents are badly corrupted.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
fdt_string() is used to retrieve strings from a DT blob's strings section.
It's rarely used directly, but is widely used internally.
However, it doesn't do any bounds checking, which means in the case of a
corrupted blob it could access bad memory, which libfdt is supposed to
avoid.
This write a safe alternative to fdt_string, fdt_get_string(). It checks
both that the given offset is within the string section and that the string
it points to is properly \0 terminated within the section. It also returns
the string's length as a convenience (since it needs to determine to do the
checks anyway).
fdt_string() is rewritten in terms of fdt_get_string() for compatibility.
Most of the diff here is actually testing infrastructure.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
In a number of places, dtc and associated tools and test code use
leading _ characters on identifiers to flag them as "internal", an
idiom taken from the Linux kernel. This is a bad idea in a userspace
program, because identifiers with a leading _ are reserved for the C
library / system.
In some cases, the extra _ served no real purpose, so simply drop it. In
others move to the end of the identifier, which is a convention we're free
to use for our own purposes.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
For testing we (ab)use the assembler to build us a sample dtb, independent
of the other tools (dtc and libfdt) that we're trying to test. In a few
places this uses 64-bit arithmetic to decompose 64-bit constants into
the individual bytes in the blob.
Unfortunately, it seems that some builds of GNU as don't support >32 bit
arithmetic, though it's not entirely clear to me which do and which don't
(Fedora i386 does support 64-bit, Debian arm32 doesn't).
Anyway, to be safe, this avoids 64-bit arithmetic in assembler at the cost
of some extra awkwardness because we have to define the values in 32-bit
halves.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The existing function to add a new property to a tree being built requires
that the entire contents of the new property be passed in. For some
applications it is more convenient to be able to add the property contents
later, perhaps by reading from a file. This avoids double-buffering of the
contents.
Add a new function to support this and adjust the existing fdt_property() to
use it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We have a couple of checks of the form:
if (offset+size > totalsize)
die();
We need to check that offset+size doesn't overflow, otherwise the check
will pass, and we may access past totalsize.
Found with AFL.
Signed-off-by: Anton Blanchard <anton@samba.org>
[Added a testcase]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
ePAPR 1.1 section 2.2.1.1 "Node Name Requirements" specifies that any
node that has a reg property must include a unit address in its name
with value matching the first entry in its reg property. Conversely, if
a node does not have a reg property, the node name must not include a
unit address.
Adjust all the dtc test-cases to conform to this rule.
Signed-off-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In device trees in the world, properties consisting of a single 64-bit
integer are not as common as those consisting of a single 32-bit, cell
sized integer, but they're common enough that they're worth including
convenience functions for.
This patch adds helper wrappers of fdt_setprop_inplace(), fdt_setprop() and
fdt_appendprop() for handling 64-bit integer quantities in properties. For
better consistency with the names of these new *_u64() functions we also
add *_u32() functions as alternative names for the existing *_cell()
functions handling 32-bit integers.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently, the Linux kernel, libfdt and dtc, when using flattened
device trees encode a node's phandle into a property named
"linux,phandle". The ePAPR specification, however - aiming as it is
to not be a Linux specific spec - requires that phandles be encoded in
a property named simply "phandle".
This patch adds support for this newer approach to dtc and libfdt.
Specifically:
- fdt_get_phandle() will now return the correct phandle if it
is supplied in either of these properties
- fdt_node_offset_by_phandle() will correctly find a node with
the given phandle encoded in either property.
- By default, when auto-generating phandles, dtc will encode
it into both properties for maximum compatibility. A new -H
option allows either only old-style or only new-style
properties to be generated.
- If phandle properties are explicitly supplied in the dts
file, dtc will not auto-generate ones in the alternate format.
- If both properties are supplied, dtc will check that they
have the same value.
- Some existing testcases are updated to use a mix of old and
new-style phandles, partially testing the changes.
- A new phandle_format test further tests the libfdt support,
and the -H option.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
There's currently an off-by-one bug in fdt_subnode_offset_namelen()
which causes it to keep searching after it's finished the subnodes of
the given parent, and into the subnodes of siblings of the original
node which come after it in the tree.
This patch fixes the bug. It also extends the subnode_offset testcase
(updating all of the 'test_tree1' example trees in the process) to
catch it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch adds checks to the checking framework to verify that node
and property names contain only legal characters, and in the case of
node names there is at most one '@'.
At present when coming from dts input, this is mostly already ensured
by the grammer, however putting the check later means its easier to
generate helpful error messages rather than just "syntax error". For
dtb input, these checks replace the older similar check built into
flattree.c.
Testcases for the checks are also implemented.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In a number of places through libfdt and its tests, we have *_typed()
macro variants on functions which use gcc's typeof and statement
expression extensions to allow passing literals where the underlying
function takes a buffer and size.
These seemed like a good idea at the time, but in fact they have some
problems. They use typeof and statement expressions, extensions I'd
prefer to avoid for portability. Plus, they have potential gotchas -
although they'll deal with the size of the thing passed, they won't
deal with other representation issues (like endianness) and results
could be very strange if the type of the expression passed isn't what
you think it is.
In fact, the only users of these _typed() macros were when the value
passed is a single cell (32-bit integer). Therefore, this patch
removes all these _typed() macros and replaces them with explicit
_cell() variants which handle a single 32-bit integer, and which also
perform endian convesions as appropriate.
With this in place, it now becomes easy to use standardized big-endian
representation for integer valued properties in the testcases,
regardless of the platform we're running on. We therefore do that,
which has the additional advantage that all the example trees created
during a test run are now byte-for-byte identical regardless of
platform.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch adds fdt_get_phandle() and fdt_node_offset_by_phandle()
functions to libfdt. fdt_get_phandle() will retreive the phandle
value of a given node, and fdt_node_offset_by_phandle() will locate a
node given a phandle.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch makes the helper macros in trees.S use separate labels for
the end of each dt subblock, rather than using only start labels.
This means that the macros can now be used to create trees with the
subblocks in non-standard orders.
In addition, it adds a bunch of extra ; after lines of asm code in
macros, making them safe to use in nested macros.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch adds functions for dealing with the compatible property.
fdt_node_check_compatible() can be used to determine whether a node is
compatible with a given string and fdt_node_offset_by_compatible()
locates nodes with a given compatible string.
Testcases for these functions are also included.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch adds functions to libfdt for accessing the memory
reservation map section of a device tree blob. fdt_num_mem_rsv()
retreives the number of reservation entries in a dtb, and
fdt_get_mem_rsv() retreives a specific reservation entry.
fdt_add_mem_rsv() adds a new entry, and fdt_del_mem_rsv() removes a
specific numbered entry.
Testcases for these new functions are also included.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present, the fdt_subnode_offset() and fdt_path_offset() functions
in libfdt require the exact name of the nodes in question be passed,
including unit address.
This is contrary to traditional OF-like finddevice() behaviour, which
allows the unit address to be omitted (which is useful when the device
name is unambiguous without the address).
This patch introduces similar behaviour to
fdt_subnode_offset_namelen(), and hence to fdt_subnode_offset() and
fdt_path_offset() which are implemented in terms of the former. The
unit address can be omitted from the given node name. If this is
ambiguous, the first such node in the flattened tree will be selected
(this behaviour is consistent with IEEE1275 which specifies only that
an arbitrary node matching the given information be selected).
This very small change is then followed by many more diffs which
change the test examples and testcases to exercise this behaviour.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This large patch removes all trailing whitespace from dtc (including
libfdt, the testsuite and documentation). It also removes a handful
of redundant blank lines (at the end of functions, or when there are
two blank lines together for no particular reason).
As well as anything else, this means that quilt won't whinge when I go
to convert the whole of libfdt into a patch to apply to the kernel.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Since its beginning, libfdt has used an incorrect definition of the
format for a property, putting the name offset before length, rather
than the other way around as described in booting-without-of.txt.
This corrects the error, making libfdt actually produce and use trees
which are compatible with the kernel and dtc.
Signed-of-by: David Gibson <david@gibson.dropbear.id.au>
The libfdt functions are supposed to behave tolerably well when practical,
even if given a corrupted device tree as input. A silly mistake in
fdt_get_property() means we're bounds checking against the size of a pointer
instead of the size of a property header, meaning we can get bogus
behaviour in a corrupted device tree where the structure block ends in
what's supposed to be the middle of a property.
This patch corrects the problem (fdt_get_property() will now return
BADSTRUCTURE in this case), and also adds a testcase to catch the bug.
This patch fixes a number of embarrasing oversights which meant libfdt
did not work correctly on little endian machines. With this patch the
testsuite now passes on x86. Device trees are always created
big-endian.
v17 of the blob format adds a field for the size of the structure
block, but is backwards compatible with v16. This patch introduces
definitions for the new field, and uses it to improve the bounds
checking in the read-only code. It also cleans up the sequential
write code using it: we no longer need to borrow the version field as
a write pointer.