From nobody Sat Oct 25 21:46:14 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 1521229644186539.5300950468028;
 Fri, 16 Mar 2018 12:47:24 -0700 (PDT)
Received: from localhost ([::1]:59221 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1ewvJy-0002ko-Va
	for importer@patchew.org; Fri, 16 Mar 2018 15:47:23 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:40272)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mjc@sifive.com>) id 1ewvFC-0007OO-Hn
	for qemu-devel@nongnu.org; Fri, 16 Mar 2018 15:42:28 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mjc@sifive.com>) id 1ewvFB-0003kC-5e
	for qemu-devel@nongnu.org; Fri, 16 Mar 2018 15:42:26 -0400
Received: from mail-pl0-x243.google.com ([2607:f8b0:400e:c01::243]:33536)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <mjc@sifive.com>) id 1ewvFA-0003jo-UF
	for qemu-devel@nongnu.org; Fri, 16 Mar 2018 15:42:25 -0400
Received: by mail-pl0-x243.google.com with SMTP id c11-v6so6503487plo.0
	for <qemu-devel@nongnu.org>; Fri, 16 Mar 2018 12:42:24 -0700 (PDT)
Received: from monty.com ([12.206.222.5]) by smtp.gmail.com with ESMTPSA id
	k24sm13780469pff.77.2018.03.16.12.42.22
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 16 Mar 2018 12:42:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sifive.com; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=0WUlW31X3LYFA5HCImPfRKE4VNH6Gy9yyTrhlUghh28=;
	b=Y679QcZUzMZMw2NEI9IND/xhuyhUwEWpDmKrh3RqsytetorxwOHi4S9CpD2W9xapNv
	gqW45o2PvmPvRW6UCCjDcCBPPZwrr0aoweAeDWyg3XlGzGLXENzHzfbh2EkTd89KNjgR
	M03TYhrQXDanmi/9WkK/sMLC2+GeWUCL/Ug6nmfH2GI0V+Jww3FPlcMG3Gsn5qHbb7/j
	DML8N53jQD7P7lkPw1WwU+uBynp3+ppXu9v6XXnAarycs2kDIou44jFi/6RGBtgAUlrT
	qTb6Wv8IKVJaB3ZBFruEI1SByxDXkwVEkAUdjLntaDwlatMpzGKY2B4gvSInlE+Rcz+l
	vQJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=0WUlW31X3LYFA5HCImPfRKE4VNH6Gy9yyTrhlUghh28=;
	b=GkfbyHOT18GZJTNo1RNK5qe/1I2fRrrRUWJX+Ehr+SZHbVtWJtDaNmRUWco2xFwdxj
	rseVeYJIIHguoAP/Ab2LA5cjqu1NcfcOLf0wKWM7I6sBkzBNnZzI1mveyFoLB8BFdT3T
	dLcl8SAZk7Os+fP0H1BspEolAqL+uyhoGt1qmgcBvCJ6Z+21xVMa9PrscSLCRnEwOSBD
	ktxK8mSYbRTkCKLE9iN7fwrRTIIeAMN1WXkIqadN1xgL2fmpF6aMAw4WTSR6hLS1gQgn
	CyvaX7o8Nel9/mVhcu6L6toGfQaQ3D021Hifi37U6naoDFGf+qrHCA2+xxjk6QP1rVfg
	eUEw==
X-Gm-Message-State: AElRT7FsO3jP0oRbhrsK7cQKC9Ozufhk/DeCORMoGnBt1aMmGCnNBI8v
	dRoU5LaWZEPr8CkqYXRKoIxCx3utd8c=
X-Google-Smtp-Source: 
 AG47ELsYb9vMGz2U+AFT/CoeWzCP+j5H2YQ/cjk6xSWgcBs3H/sP4WoQX8SLTkCWe2FxRAmTsEH51g==
X-Received: by 2002:a17:902:5785:: with SMTP id
	l5-v6mr3317603pli.386.1521229343682;
	Fri, 16 Mar 2018 12:42:23 -0700 (PDT)
From: Michael Clark <mjc@sifive.com>
To: qemu-devel@nongnu.org
Date: Fri, 16 Mar 2018 12:41:05 -0700
Message-Id: <1521229281-73637-9-git-send-email-mjc@sifive.com>
X-Mailer: git-send-email 2.7.0
In-Reply-To: <1521229281-73637-1-git-send-email-mjc@sifive.com>
References: <1521229281-73637-1-git-send-email-mjc@sifive.com>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2607:f8b0:400e:c01::243
Subject: [Qemu-devel] [PATCH v3 08/24] RISC-V: Make sure rom has space for
 fdt
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: patches@groups.riscv.org, Michael Clark <mjc@sifive.com>,
	Palmer Dabbelt <palmer@sifive.com>,
	Sagar Karandikar <sagark@eecs.berkeley.edu>,
	Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZohoMail: RDKM_2  RSF_0  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

Remove a potential buffer overflow (not seen in practice).
Perhaps cpu_physical_memory_write already has bound checks.
This change however makes space for the maximum device tree
size and adds an explicit bounds check and error message.
It doesn't trigger, but it may help in the future if the
device-tree size is exceeded. e.g. large bootargs.

Cc: Sagar Karandikar <sagark@eecs.berkeley.edu>
Cc: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Signed-off-by: Michael Clark <mjc@sifive.com>
Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
---
 hw/riscv/sifive_u.c | 20 ++++++++++++--------
 hw/riscv/spike.c    | 16 +++++++++++-----
 hw/riscv/virt.c     | 13 +++++++++----
 3 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
index 083043a..57b4f4f 100644
--- a/hw/riscv/sifive_u.c
+++ b/hw/riscv/sifive_u.c
@@ -52,7 +52,7 @@ static const struct MemmapEntry {
     hwaddr size;
 } sifive_u_memmap[] =3D {
     [SIFIVE_U_DEBUG] =3D    {        0x0,      0x100 },
-    [SIFIVE_U_MROM] =3D     {     0x1000,     0x2000 },
+    [SIFIVE_U_MROM] =3D     {     0x1000,    0x11000 },
     [SIFIVE_U_CLINT] =3D    {  0x2000000,    0x10000 },
     [SIFIVE_U_PLIC] =3D     {  0xc000000,  0x4000000 },
     [SIFIVE_U_UART0] =3D    { 0x10013000,     0x1000 },
@@ -221,7 +221,7 @@ static void riscv_sifive_u_init(MachineState *machine)
     const struct MemmapEntry *memmap =3D sifive_u_memmap;
=20
     SiFiveUState *s =3D g_new0(SiFiveUState, 1);
-    MemoryRegion *sys_memory =3D get_system_memory();
+    MemoryRegion *system_memory =3D get_system_memory();
     MemoryRegion *main_mem =3D g_new(MemoryRegion, 1);
     MemoryRegion *mask_rom =3D g_new(MemoryRegion, 1);
=20
@@ -239,7 +239,7 @@ static void riscv_sifive_u_init(MachineState *machine)
     /* register RAM */
     memory_region_init_ram(main_mem, NULL, "riscv.sifive.u.ram",
                            machine->ram_size, &error_fatal);
-    memory_region_add_subregion(sys_memory, memmap[SIFIVE_U_DRAM].base,
+    memory_region_add_subregion(system_memory, memmap[SIFIVE_U_DRAM].base,
         main_mem);
=20
     /* create device tree */
@@ -247,9 +247,9 @@ static void riscv_sifive_u_init(MachineState *machine)
=20
     /* boot rom */
     memory_region_init_ram(mask_rom, NULL, "riscv.sifive.u.mrom",
-                           memmap[SIFIVE_U_MROM].base, &error_fatal);
-    memory_region_set_readonly(mask_rom, true);
-    memory_region_add_subregion(sys_memory, 0x0, mask_rom);
+                           memmap[SIFIVE_U_MROM].size, &error_fatal);
+    memory_region_add_subregion(system_memory, memmap[SIFIVE_U_MROM].base,
+                                mask_rom);
=20
     if (machine->kernel_filename) {
         load_kernel(machine->kernel_filename);
@@ -276,6 +276,10 @@ static void riscv_sifive_u_init(MachineState *machine)
     copy_le32_to_phys(memmap[SIFIVE_U_MROM].base, reset_vec, sizeof(reset_=
vec));
=20
     /* copy in the device tree */
+    if (s->fdt_size >=3D memmap[SIFIVE_U_MROM].size - sizeof(reset_vec)) {
+        error_report("qemu: not enough space to store device-tree");
+        exit(1);
+    }
     qemu_fdt_dumpdtb(s->fdt, s->fdt_size);
     cpu_physical_memory_write(memmap[SIFIVE_U_MROM].base +
         sizeof(reset_vec), s->fdt, s->fdt_size);
@@ -293,9 +297,9 @@ static void riscv_sifive_u_init(MachineState *machine)
         SIFIVE_U_PLIC_CONTEXT_BASE,
         SIFIVE_U_PLIC_CONTEXT_STRIDE,
         memmap[SIFIVE_U_PLIC].size);
-    sifive_uart_create(sys_memory, memmap[SIFIVE_U_UART0].base,
+    sifive_uart_create(system_memory, memmap[SIFIVE_U_UART0].base,
         serial_hds[0], SIFIVE_PLIC(s->plic)->irqs[SIFIVE_U_UART0_IRQ]);
-    /* sifive_uart_create(sys_memory, memmap[SIFIVE_U_UART1].base,
+    /* sifive_uart_create(system_memory, memmap[SIFIVE_U_UART1].base,
         serial_hds[1], SIFIVE_PLIC(s->plic)->irqs[SIFIVE_U_UART1_IRQ]); */
     sifive_clint_create(memmap[SIFIVE_U_CLINT].base,
         memmap[SIFIVE_U_CLINT].size, smp_cpus,
diff --git a/hw/riscv/spike.c b/hw/riscv/spike.c
index 64e585e..c7d937b 100644
--- a/hw/riscv/spike.c
+++ b/hw/riscv/spike.c
@@ -46,7 +46,7 @@ static const struct MemmapEntry {
     hwaddr base;
     hwaddr size;
 } spike_memmap[] =3D {
-    [SPIKE_MROM] =3D     {     0x1000,     0x2000 },
+    [SPIKE_MROM] =3D     {     0x1000,    0x11000 },
     [SPIKE_CLINT] =3D    {  0x2000000,    0x10000 },
     [SPIKE_DRAM] =3D     { 0x80000000,        0x0 },
 };
@@ -197,8 +197,9 @@ static void spike_v1_10_0_board_init(MachineState *mach=
ine)
=20
     /* boot rom */
     memory_region_init_ram(mask_rom, NULL, "riscv.spike.mrom",
-                           s->fdt_size + 0x2000, &error_fatal);
-    memory_region_add_subregion(system_memory, 0x0, mask_rom);
+                           memmap[SPIKE_MROM].size, &error_fatal);
+    memory_region_add_subregion(system_memory, memmap[SPIKE_MROM].base,
+                                mask_rom);
=20
     if (machine->kernel_filename) {
         load_kernel(machine->kernel_filename);
@@ -225,6 +226,10 @@ static void spike_v1_10_0_board_init(MachineState *mac=
hine)
     copy_le32_to_phys(memmap[SPIKE_MROM].base, reset_vec, sizeof(reset_vec=
));
=20
     /* copy in the device tree */
+    if (s->fdt_size >=3D memmap[SPIKE_MROM].size - sizeof(reset_vec)) {
+        error_report("qemu: not enough space to store device-tree");
+        exit(1);
+    }
     qemu_fdt_dumpdtb(s->fdt, s->fdt_size);
     cpu_physical_memory_write(memmap[SPIKE_MROM].base + sizeof(reset_vec),
         s->fdt, s->fdt_size);
@@ -266,8 +271,9 @@ static void spike_v1_09_1_board_init(MachineState *mach=
ine)
=20
     /* boot rom */
     memory_region_init_ram(mask_rom, NULL, "riscv.spike.mrom",
-                           0x40000, &error_fatal);
-    memory_region_add_subregion(system_memory, 0x0, mask_rom);
+                           memmap[SPIKE_MROM].size, &error_fatal);
+    memory_region_add_subregion(system_memory, memmap[SPIKE_MROM].base,
+                                mask_rom);
=20
     if (machine->kernel_filename) {
         load_kernel(machine->kernel_filename);
diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
index 5913100..d680cbd 100644
--- a/hw/riscv/virt.c
+++ b/hw/riscv/virt.c
@@ -45,8 +45,8 @@ static const struct MemmapEntry {
     hwaddr size;
 } virt_memmap[] =3D {
     [VIRT_DEBUG] =3D    {        0x0,      0x100 },
-    [VIRT_MROM] =3D     {     0x1000,     0x2000 },
-    [VIRT_TEST] =3D     {     0x4000,     0x1000 },
+    [VIRT_MROM] =3D     {     0x1000,    0x11000 },
+    [VIRT_TEST] =3D     {   0x100000,     0x1000 },
     [VIRT_CLINT] =3D    {  0x2000000,    0x10000 },
     [VIRT_PLIC] =3D     {  0xc000000,  0x4000000 },
     [VIRT_UART0] =3D    { 0x10000000,      0x100 },
@@ -297,8 +297,9 @@ static void riscv_virt_board_init(MachineState *machine)
=20
     /* boot rom */
     memory_region_init_ram(mask_rom, NULL, "riscv_virt_board.mrom",
-                           s->fdt_size + 0x2000, &error_fatal);
-    memory_region_add_subregion(system_memory, 0x0, mask_rom);
+                           memmap[VIRT_MROM].size, &error_fatal);
+    memory_region_add_subregion(system_memory, memmap[VIRT_MROM].base,
+                                mask_rom);
=20
     if (machine->kernel_filename) {
         uint64_t kernel_entry =3D load_kernel(machine->kernel_filename);
@@ -336,6 +337,10 @@ static void riscv_virt_board_init(MachineState *machin=
e)
     copy_le32_to_phys(memmap[VIRT_MROM].base, reset_vec, sizeof(reset_vec)=
);
=20
     /* copy in the device tree */
+    if (s->fdt_size >=3D memmap[VIRT_MROM].size - sizeof(reset_vec)) {
+        error_report("qemu: not enough space to store device-tree");
+        exit(1);
+    }
     qemu_fdt_dumpdtb(s->fdt, s->fdt_size);
     cpu_physical_memory_write(memmap[VIRT_MROM].base + sizeof(reset_vec),
         s->fdt, s->fdt_size);
--=20
2.7.0