From nobody Tue Feb 10 08:27:46 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 1521916549156701.7082430246493;
 Sat, 24 Mar 2018 11:35:49 -0700 (PDT)
Received: from localhost ([::1]:46917 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1ezo10-0007mJ-CM
	for importer@patchew.org; Sat, 24 Mar 2018 14:35:42 -0400
Received: from eggs.gnu.org ([208.118.235.92]:40762)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mjc@sifive.com>) id 1eznvc-0007Nl-Up
	for qemu-devel@nongnu.org; Sat, 24 Mar 2018 14:34:39 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mjc@sifive.com>) id 1ezngR-0003in-MB
	for qemu-devel@nongnu.org; Sat, 24 Mar 2018 14:18:02 -0400
Received: from mail-pl0-x244.google.com ([2607:f8b0:400e:c01::244]:36965)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <mjc@sifive.com>) id 1ezngR-0003iK-Dp
	for qemu-devel@nongnu.org; Sat, 24 Mar 2018 14:14:27 -0400
Received: by mail-pl0-x244.google.com with SMTP id w12-v6so9376514plp.4
	for <qemu-devel@nongnu.org>; Sat, 24 Mar 2018 11:14:27 -0700 (PDT)
Received: from monty.com (h98.112.139.40.ip.windstream.net. [40.139.112.98])
	by smtp.gmail.com with ESMTPSA id
	k24sm22314646pff.77.2018.03.24.11.14.25
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Sat, 24 Mar 2018 11:14:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sifive.com; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=0WUlW31X3LYFA5HCImPfRKE4VNH6Gy9yyTrhlUghh28=;
	b=WaLHAXkHf0DerbhRifmdN36meGS7sAFaXeHsRWVE7qCOo+fvohmUvrSXefGyAFb+1b
	xB9FrUa3Yb+mtIBNJjzGC+qko3wwYP1qUHJJ9RtaMk4rjgPKjErK4PQVQnlT12tFGp6f
	XfGKM/rSYHYD2RrGA0kK+xr8toGa7yE0V8+DzoFRfnFwccbXCqOp6Iub13uC1KtKccsr
	r8x9ElT2ZoIx2smiG285EHZe0DonhnvOkmMGHR1Tq3AXn3+Z3aqVRlS2mYANM2kh+uAk
	ayOefmDiaY0gVln3B4I/Kw3SZBPomUiI0J/t0QqsF7fbD70I0JvIQ4mblDj9AtflAXTB
	BKig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=0WUlW31X3LYFA5HCImPfRKE4VNH6Gy9yyTrhlUghh28=;
	b=nPu7xB1ZNDFCOAAghfjr31EePNle1ulkqnVOc3nD9SRI288rkGKpUTk/KSUgMl9Dus
	ZPG5PAYrC9aMH0rHPp0ykbWGmESoPe7o2nusN57GJ/DejGRD5UYn3S0DukiOAczLnVmp
	pCOZGWUcsDh1ynuDfwNSYlKzXwfN0rh3CjwRBfMxvVyVa9PSvntRZ8+LuhHG7+JrAFyj
	zN6k+5pW7YYCK1/CrWrTVyWEeqaiTChTab9OaQ37ecK2zjeyvFP4saBaHuHMGi/1E9XL
	98J/Fa4XQ9qGHqaYxkIkIkxZ0wKnp3j5CE6hOYedpgBkRDl4lUYMUCrpOZn9bFZD7Ceq
	KROQ==
X-Gm-Message-State: AElRT7E33mMn5FjFD+bnN9wKvBryCyhm6O81vC62ZQNYfuAYmzSsAjMw
	2HqNhIq0quDg8j0RcXTCh5wepnt46Rw=
X-Google-Smtp-Source: 
 AG47ELs3YRcDOSrugPyC3uqhaUo4aj7lInPvuckvnoyIwJxcjf9cmvPifBOZ8X6VmijRnKvXKv/nhg==
X-Received: by 2002:a17:902:5609:: with SMTP id
	h9-v6mr34041233pli.121.1521915266454;
	Sat, 24 Mar 2018 11:14:26 -0700 (PDT)
From: Michael Clark <mjc@sifive.com>
To: qemu-devel@nongnu.org
Date: Sat, 24 Mar 2018 11:13:28 -0700
Message-Id: <1521915220-65389-3-git-send-email-mjc@sifive.com>
X-Mailer: git-send-email 2.7.0
In-Reply-To: <1521915220-65389-1-git-send-email-mjc@sifive.com>
References: <1521915220-65389-1-git-send-email-mjc@sifive.com>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2607:f8b0:400e:c01::244
Subject: [Qemu-devel] [PATCH v6 08/26] RISC-V: Make sure rom has space for
 fdt
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: patches@groups.riscv.org, Michael Clark <mjc@sifive.com>,
	Palmer Dabbelt <palmer@sifive.com>,
	Sagar Karandikar <sagark@eecs.berkeley.edu>,
	Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZohoMail: RDKM_2  RSF_0  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

Remove a potential buffer overflow (not seen in practice).
Perhaps cpu_physical_memory_write already has bound checks.
This change however makes space for the maximum device tree
size and adds an explicit bounds check and error message.
It doesn't trigger, but it may help in the future if the
device-tree size is exceeded. e.g. large bootargs.

Cc: Sagar Karandikar <sagark@eecs.berkeley.edu>
Cc: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Signed-off-by: Michael Clark <mjc@sifive.com>
Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
---
 hw/riscv/sifive_u.c | 20 ++++++++++++--------
 hw/riscv/spike.c    | 16 +++++++++++-----
 hw/riscv/virt.c     | 13 +++++++++----
 3 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
index 083043a..57b4f4f 100644
--- a/hw/riscv/sifive_u.c
+++ b/hw/riscv/sifive_u.c
@@ -52,7 +52,7 @@ static const struct MemmapEntry {
     hwaddr size;
 } sifive_u_memmap[] =3D {
     [SIFIVE_U_DEBUG] =3D    {        0x0,      0x100 },
-    [SIFIVE_U_MROM] =3D     {     0x1000,     0x2000 },
+    [SIFIVE_U_MROM] =3D     {     0x1000,    0x11000 },
     [SIFIVE_U_CLINT] =3D    {  0x2000000,    0x10000 },
     [SIFIVE_U_PLIC] =3D     {  0xc000000,  0x4000000 },
     [SIFIVE_U_UART0] =3D    { 0x10013000,     0x1000 },
@@ -221,7 +221,7 @@ static void riscv_sifive_u_init(MachineState *machine)
     const struct MemmapEntry *memmap =3D sifive_u_memmap;
=20
     SiFiveUState *s =3D g_new0(SiFiveUState, 1);
-    MemoryRegion *sys_memory =3D get_system_memory();
+    MemoryRegion *system_memory =3D get_system_memory();
     MemoryRegion *main_mem =3D g_new(MemoryRegion, 1);
     MemoryRegion *mask_rom =3D g_new(MemoryRegion, 1);
=20
@@ -239,7 +239,7 @@ static void riscv_sifive_u_init(MachineState *machine)
     /* register RAM */
     memory_region_init_ram(main_mem, NULL, "riscv.sifive.u.ram",
                            machine->ram_size, &error_fatal);
-    memory_region_add_subregion(sys_memory, memmap[SIFIVE_U_DRAM].base,
+    memory_region_add_subregion(system_memory, memmap[SIFIVE_U_DRAM].base,
         main_mem);
=20
     /* create device tree */
@@ -247,9 +247,9 @@ static void riscv_sifive_u_init(MachineState *machine)
=20
     /* boot rom */
     memory_region_init_ram(mask_rom, NULL, "riscv.sifive.u.mrom",
-                           memmap[SIFIVE_U_MROM].base, &error_fatal);
-    memory_region_set_readonly(mask_rom, true);
-    memory_region_add_subregion(sys_memory, 0x0, mask_rom);
+                           memmap[SIFIVE_U_MROM].size, &error_fatal);
+    memory_region_add_subregion(system_memory, memmap[SIFIVE_U_MROM].base,
+                                mask_rom);
=20
     if (machine->kernel_filename) {
         load_kernel(machine->kernel_filename);
@@ -276,6 +276,10 @@ static void riscv_sifive_u_init(MachineState *machine)
     copy_le32_to_phys(memmap[SIFIVE_U_MROM].base, reset_vec, sizeof(reset_=
vec));
=20
     /* copy in the device tree */
+    if (s->fdt_size >=3D memmap[SIFIVE_U_MROM].size - sizeof(reset_vec)) {
+        error_report("qemu: not enough space to store device-tree");
+        exit(1);
+    }
     qemu_fdt_dumpdtb(s->fdt, s->fdt_size);
     cpu_physical_memory_write(memmap[SIFIVE_U_MROM].base +
         sizeof(reset_vec), s->fdt, s->fdt_size);
@@ -293,9 +297,9 @@ static void riscv_sifive_u_init(MachineState *machine)
         SIFIVE_U_PLIC_CONTEXT_BASE,
         SIFIVE_U_PLIC_CONTEXT_STRIDE,
         memmap[SIFIVE_U_PLIC].size);
-    sifive_uart_create(sys_memory, memmap[SIFIVE_U_UART0].base,
+    sifive_uart_create(system_memory, memmap[SIFIVE_U_UART0].base,
         serial_hds[0], SIFIVE_PLIC(s->plic)->irqs[SIFIVE_U_UART0_IRQ]);
-    /* sifive_uart_create(sys_memory, memmap[SIFIVE_U_UART1].base,
+    /* sifive_uart_create(system_memory, memmap[SIFIVE_U_UART1].base,
         serial_hds[1], SIFIVE_PLIC(s->plic)->irqs[SIFIVE_U_UART1_IRQ]); */
     sifive_clint_create(memmap[SIFIVE_U_CLINT].base,
         memmap[SIFIVE_U_CLINT].size, smp_cpus,
diff --git a/hw/riscv/spike.c b/hw/riscv/spike.c
index 64e585e..c7d937b 100644
--- a/hw/riscv/spike.c
+++ b/hw/riscv/spike.c
@@ -46,7 +46,7 @@ static const struct MemmapEntry {
     hwaddr base;
     hwaddr size;
 } spike_memmap[] =3D {
-    [SPIKE_MROM] =3D     {     0x1000,     0x2000 },
+    [SPIKE_MROM] =3D     {     0x1000,    0x11000 },
     [SPIKE_CLINT] =3D    {  0x2000000,    0x10000 },
     [SPIKE_DRAM] =3D     { 0x80000000,        0x0 },
 };
@@ -197,8 +197,9 @@ static void spike_v1_10_0_board_init(MachineState *mach=
ine)
=20
     /* boot rom */
     memory_region_init_ram(mask_rom, NULL, "riscv.spike.mrom",
-                           s->fdt_size + 0x2000, &error_fatal);
-    memory_region_add_subregion(system_memory, 0x0, mask_rom);
+                           memmap[SPIKE_MROM].size, &error_fatal);
+    memory_region_add_subregion(system_memory, memmap[SPIKE_MROM].base,
+                                mask_rom);
=20
     if (machine->kernel_filename) {
         load_kernel(machine->kernel_filename);
@@ -225,6 +226,10 @@ static void spike_v1_10_0_board_init(MachineState *mac=
hine)
     copy_le32_to_phys(memmap[SPIKE_MROM].base, reset_vec, sizeof(reset_vec=
));
=20
     /* copy in the device tree */
+    if (s->fdt_size >=3D memmap[SPIKE_MROM].size - sizeof(reset_vec)) {
+        error_report("qemu: not enough space to store device-tree");
+        exit(1);
+    }
     qemu_fdt_dumpdtb(s->fdt, s->fdt_size);
     cpu_physical_memory_write(memmap[SPIKE_MROM].base + sizeof(reset_vec),
         s->fdt, s->fdt_size);
@@ -266,8 +271,9 @@ static void spike_v1_09_1_board_init(MachineState *mach=
ine)
=20
     /* boot rom */
     memory_region_init_ram(mask_rom, NULL, "riscv.spike.mrom",
-                           0x40000, &error_fatal);
-    memory_region_add_subregion(system_memory, 0x0, mask_rom);
+                           memmap[SPIKE_MROM].size, &error_fatal);
+    memory_region_add_subregion(system_memory, memmap[SPIKE_MROM].base,
+                                mask_rom);
=20
     if (machine->kernel_filename) {
         load_kernel(machine->kernel_filename);
diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
index 5913100..d680cbd 100644
--- a/hw/riscv/virt.c
+++ b/hw/riscv/virt.c
@@ -45,8 +45,8 @@ static const struct MemmapEntry {
     hwaddr size;
 } virt_memmap[] =3D {
     [VIRT_DEBUG] =3D    {        0x0,      0x100 },
-    [VIRT_MROM] =3D     {     0x1000,     0x2000 },
-    [VIRT_TEST] =3D     {     0x4000,     0x1000 },
+    [VIRT_MROM] =3D     {     0x1000,    0x11000 },
+    [VIRT_TEST] =3D     {   0x100000,     0x1000 },
     [VIRT_CLINT] =3D    {  0x2000000,    0x10000 },
     [VIRT_PLIC] =3D     {  0xc000000,  0x4000000 },
     [VIRT_UART0] =3D    { 0x10000000,      0x100 },
@@ -297,8 +297,9 @@ static void riscv_virt_board_init(MachineState *machine)
=20
     /* boot rom */
     memory_region_init_ram(mask_rom, NULL, "riscv_virt_board.mrom",
-                           s->fdt_size + 0x2000, &error_fatal);
-    memory_region_add_subregion(system_memory, 0x0, mask_rom);
+                           memmap[VIRT_MROM].size, &error_fatal);
+    memory_region_add_subregion(system_memory, memmap[VIRT_MROM].base,
+                                mask_rom);
=20
     if (machine->kernel_filename) {
         uint64_t kernel_entry =3D load_kernel(machine->kernel_filename);
@@ -336,6 +337,10 @@ static void riscv_virt_board_init(MachineState *machin=
e)
     copy_le32_to_phys(memmap[VIRT_MROM].base, reset_vec, sizeof(reset_vec)=
);
=20
     /* copy in the device tree */
+    if (s->fdt_size >=3D memmap[VIRT_MROM].size - sizeof(reset_vec)) {
+        error_report("qemu: not enough space to store device-tree");
+        exit(1);
+    }
     qemu_fdt_dumpdtb(s->fdt, s->fdt_size);
     cpu_physical_memory_write(memmap[VIRT_MROM].base + sizeof(reset_vec),
         s->fdt, s->fdt_size);
--=20
2.7.0