From nobody Mon Feb 9 11:51:14 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=quarantine dis=none) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1611069453; cv=none; d=zohomail.com; s=zohoarc; b=mysPCwCSuiIJ7Au4nVNwtn/Yt31Rx3HojYeyzd8a4bsvlNzmP3h5FtNNxUsxG7Rnl4vsvKEb/Y399I7Lb/9BkagTYmCNdid28wZS/wO4n+/LDnRz1l8pTOjwso0wej+mtgyurhLb9v7TZabjzDpxswKWf+GA9ACT9mYMHCuIp8A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1611069453; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=GzQ/TMLxOp954HatIYsp8zXkUc5E4Inz83HkcZgnzwg=; b=M9YNo5X1aMLakSGeeuzoZm18VePN4HMJN5Pgc3jEIttCe+YwS8YW30fCu77zYFNgJCR3N6A2lIvl2lHxSRfrlhEgeEKwko3i02FjZ0tbx6Gx4+GjRze4fBSXO1KWRd/CdGrDwY1wkQsnjYXv9PQ0dmScUZBIdWUcK8+Jc/A7Xfk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=quarantine dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1611069453044639.3844735238839; Tue, 19 Jan 2021 07:17:33 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.70488.126547 (Exim 4.92) (envelope-from ) id 1l1sku-0004VR-I1; Tue, 19 Jan 2021 15:17:16 +0000 Received: by outflank-mailman (output) from mailman id 70488.126547; Tue, 19 Jan 2021 15:17:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l1sku-0004VK-Ez; Tue, 19 Jan 2021 15:17:16 +0000 Received: by outflank-mailman (input) for mailman id 70488; Tue, 19 Jan 2021 15:17:14 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l1sks-0004Uw-Pr for xen-devel@lists.xenproject.org; Tue, 19 Jan 2021 15:17:14 +0000 Received: from mx2.suse.de (unknown [195.135.220.15]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 01b5de42-3fdd-4bab-9cd0-7807e18462aa; Tue, 19 Jan 2021 15:17:13 +0000 (UTC) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 74A25ADD6; Tue, 19 Jan 2021 15:17:12 +0000 (UTC) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 01b5de42-3fdd-4bab-9cd0-7807e18462aa X-Virus-Scanned: by amavisd-new at test-mx.suse.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1611069432; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=GzQ/TMLxOp954HatIYsp8zXkUc5E4Inz83HkcZgnzwg=; b=BUR1zZUKk4eezMmxuGDQoUbMmlnmoobycDRIxFqQGz99LBXpX+eI+IaaiDV7mxR17BqR8s ZVmCZIEHcgBJ+T26Z01nHhzBZRKdo+9VIit+Kz10+tAVtAsjrUSE47lmGGG3d6RCMhUZqx nxcPuInS9wkE3Ygt+bBWxot6hW7r/p4= Subject: [PATCH v2 5/5] libxenguest: simplify kernel decompression From: Jan Beulich To: "xen-devel@lists.xenproject.org" Cc: Andrew Cooper , George Dunlap , Ian Jackson , Julien Grall , Stefano Stabellini , Wei Liu References: Message-ID: Date: Tue, 19 Jan 2021 16:17:12 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @suse.com) Content-Type: text/plain; charset="utf-8" In all cases the kernel build makes available the uncompressed size in the final 4 bytes of the bzImage payload. Utilize this to avoid repeated realloc()ing of the output buffer. As a side effect this also addresses the previous mistaken return of 0 (success) from xc_try_{bzip2,lzma,xz}_decode() in case xc_dom_register_external() would have failed. As another side effect this also addresses the first error path of _xc_try_lzma_decode() previously bypassing lzma_end(). Signed-off-by: Jan Beulich Acked-by: Wei Liu --- v2: New. --- a/tools/libs/guest/xg_dom_bzimageloader.c +++ b/tools/libs/guest/xg_dom_bzimageloader.c @@ -48,18 +48,16 @@ static int xc_try_bzip2_decode( bz_stream stream; int ret; char *out_buf; - char *tmp_buf; int retval =3D -1; - unsigned int outsize; - uint64_t total; + unsigned int insize, outsize; =20 stream.bzalloc =3D NULL; stream.bzfree =3D NULL; stream.opaque =3D NULL; =20 - if ( dom->kernel_size =3D=3D 0) + if ( *size <=3D 8 ) { - DOMPRINTF("BZIP2: Input is 0 size"); + DOMPRINTF("BZIP2: insufficient input data"); return -1; } =20 @@ -70,22 +68,25 @@ static int xc_try_bzip2_decode( return -1; } =20 - /* sigh. We don't know up-front how much memory we are going to need - * for the output buffer. Allocate the output buffer to be equal - * the input buffer to start, and we'll realloc as needed. - */ - outsize =3D dom->kernel_size; + insize =3D *size - 4; + outsize =3D *(uint32_t *)(*blob + insize); =20 /* - * stream.avail_in and outsize are unsigned int, while kernel_size + * stream.avail_in and insize are unsigned int, while *size * is a size_t. Check we aren't overflowing. */ - if ( outsize !=3D dom->kernel_size ) + if ( insize + 4 !=3D *size ) { DOMPRINTF("BZIP2: Input too large"); goto bzip2_cleanup; } =20 + if ( xc_dom_kernel_check_size(dom, outsize) ) + { + DOMPRINTF("BZIP2: output too large"); + goto bzip2_cleanup; + } + out_buf =3D malloc(outsize); if ( out_buf =3D=3D NULL ) { @@ -94,86 +95,45 @@ static int xc_try_bzip2_decode( } =20 stream.next_in =3D dom->kernel_blob; - stream.avail_in =3D dom->kernel_size; + stream.avail_in =3D insize; =20 stream.next_out =3D out_buf; - stream.avail_out =3D dom->kernel_size; + stream.avail_out =3D outsize; =20 - for ( ; ; ) + ret =3D BZ2_bzDecompress(&stream); + if ( ret =3D=3D BZ_STREAM_END ) + DOMPRINTF("BZIP2: Saw data stream end"); + else if ( ret !=3D BZ_OK ) { - ret =3D BZ2_bzDecompress(&stream); - if ( ret =3D=3D BZ_STREAM_END ) - { - DOMPRINTF("BZIP2: Saw data stream end"); - retval =3D 0; - break; - } - if ( ret !=3D BZ_OK ) - { - DOMPRINTF("BZIP2: error %d", ret); - free(out_buf); - goto bzip2_cleanup; - } + DOMPRINTF("BZIP2: error %d", ret); + free(out_buf); + goto bzip2_cleanup; + } =20 - if ( stream.avail_out =3D=3D 0 ) - { - /* Protect against output buffer overflow */ - if ( outsize > UINT_MAX / 2 ) - { - DOMPRINTF("BZIP2: output buffer overflow"); - free(out_buf); - goto bzip2_cleanup; - } - - if ( xc_dom_kernel_check_size(dom, outsize * 2) ) - { - DOMPRINTF("BZIP2: output too large"); - free(out_buf); - goto bzip2_cleanup; - } - - tmp_buf =3D realloc(out_buf, outsize * 2); - if ( tmp_buf =3D=3D NULL ) - { - DOMPRINTF("BZIP2: Failed to realloc memory"); - free(out_buf); - goto bzip2_cleanup; - } - out_buf =3D tmp_buf; - - stream.next_out =3D out_buf + outsize; - stream.avail_out =3D (outsize * 2) - outsize; - outsize *=3D 2; - } - else if ( stream.avail_in =3D=3D 0 ) - { - /* - * If there is output buffer available then this indicates - * that BZ2_bzDecompress would like more input data to be - * provided. However our complete input buffer is in - * memory and provided upfront so if avail_in is zero this - * actually indicates a truncated input. - */ - DOMPRINTF("BZIP2: not enough input"); - free(out_buf); - goto bzip2_cleanup; - } + if ( stream.total_out_lo32 !=3D outsize || stream.total_out_hi32 ) + { + DOMPRINTF("BZIP2: got 0x%x%08x bytes instead of 0x%09x", + stream.total_out_hi32, stream.total_out_lo32, outsize); + free(out_buf); + goto bzip2_cleanup; } =20 - total =3D (((uint64_t)stream.total_out_hi32) << 32) | stream.total_out= _lo32; + if ( stream.avail_in ) + DOMPRINTF("BZIP2: Warning: %#x unconsumed bytes", stream.avail_in); =20 - if ( xc_dom_register_external(dom, out_buf, total) ) + if ( xc_dom_register_external(dom, out_buf, outsize) ) { DOMPRINTF("BZIP2: Error registering stream output"); free(out_buf); goto bzip2_cleanup; } =20 - DOMPRINTF("%s: BZIP2 decompress OK, 0x%zx -> 0x%lx", - __FUNCTION__, *size, (long unsigned int) total); + DOMPRINTF("%s: BZIP2 decompress OK, 0x%zx -> 0x%x", + __FUNCTION__, *size, outsize); =20 *blob =3D out_buf; - *size =3D total; + *size =3D outsize; + retval =3D 0; =20 bzip2_cleanup: BZ2_bzDecompressEnd(&stream); @@ -205,22 +165,24 @@ static int _xc_try_lzma_decode( lzma_ret ret; lzma_action action =3D LZMA_RUN; unsigned char *out_buf; - unsigned char *tmp_buf; int retval =3D -1; - size_t outsize; - const char *msg; + size_t insize, outsize; =20 - if ( dom->kernel_size =3D=3D 0) + if ( *size < 8 ) { - DOMPRINTF("%s: Input is 0 size", what); - return -1; + DOMPRINTF("%s: insufficient input data", what); + goto lzma_cleanup; + } + + insize =3D *size - 4; + outsize =3D *(uint32_t *)(*blob + insize); + + if ( xc_dom_kernel_check_size(dom, outsize) ) + { + DOMPRINTF("%s: output too large", what); + goto lzma_cleanup; } =20 - /* sigh. We don't know up-front how much memory we are going to need - * for the output buffer. Allocate the output buffer to be equal - * the input buffer to start, and we'll realloc as needed. - */ - outsize =3D dom->kernel_size; out_buf =3D malloc(outsize); if ( out_buf =3D=3D NULL ) { @@ -229,92 +191,68 @@ static int _xc_try_lzma_decode( } =20 stream->next_in =3D dom->kernel_blob; - stream->avail_in =3D dom->kernel_size; + stream->avail_in =3D insize; =20 stream->next_out =3D out_buf; - stream->avail_out =3D dom->kernel_size; + stream->avail_out =3D outsize; =20 - for ( ; ; ) + ret =3D lzma_code(stream, action); + if ( ret =3D=3D LZMA_STREAM_END ) + DOMPRINTF("%s: Saw data stream end", what); + else if ( ret !=3D LZMA_OK ) { - ret =3D lzma_code(stream, action); - if ( ret =3D=3D LZMA_STREAM_END ) + const char *msg; + + switch ( ret ) { - DOMPRINTF("%s: Saw data stream end", what); - retval =3D 0; + case LZMA_MEM_ERROR: + msg =3D strerror(ENOMEM); break; - } - if ( ret !=3D LZMA_OK ) - { - switch ( ret ) - { - case LZMA_MEM_ERROR: - msg =3D strerror(ENOMEM); - break; =20 - case LZMA_MEMLIMIT_ERROR: - msg =3D "Memory usage limit reached"; - break; + case LZMA_MEMLIMIT_ERROR: + msg =3D "Memory usage limit reached"; + break; =20 - case LZMA_FORMAT_ERROR: - msg =3D "File format not recognized"; - break; + case LZMA_FORMAT_ERROR: + msg =3D "File format not recognized"; + break; =20 - case LZMA_OPTIONS_ERROR: - // FIXME: Better message? - msg =3D "Unsupported compression options"; - break; + case LZMA_OPTIONS_ERROR: + // FIXME: Better message? + msg =3D "Unsupported compression options"; + break; =20 - case LZMA_DATA_ERROR: - msg =3D "File is corrupt"; - break; + case LZMA_DATA_ERROR: + msg =3D "File is corrupt"; + break; =20 - case LZMA_BUF_ERROR: - msg =3D "Unexpected end of input"; - break; + case LZMA_BUF_ERROR: + msg =3D "Unexpected end of input"; + break; =20 - default: - msg =3D "Internal program error (bug)"; - break; - } - DOMPRINTF("%s: %s decompression error: %s", - __FUNCTION__, what, msg); - free(out_buf); - goto lzma_cleanup; + default: + msg =3D "Internal program error (bug)"; + break; } =20 - if ( stream->avail_out =3D=3D 0 ) - { - /* Protect against output buffer overflow */ - if ( outsize > SIZE_MAX / 2 ) - { - DOMPRINTF("%s: output buffer overflow", what); - free(out_buf); - goto lzma_cleanup; - } - - if ( xc_dom_kernel_check_size(dom, outsize * 2) ) - { - DOMPRINTF("%s: output too large", what); - free(out_buf); - goto lzma_cleanup; - } - - tmp_buf =3D realloc(out_buf, outsize * 2); - if ( tmp_buf =3D=3D NULL ) - { - DOMPRINTF("%s: Failed to realloc memory", what); - free(out_buf); - goto lzma_cleanup; - } - out_buf =3D tmp_buf; - - stream->next_out =3D out_buf + outsize; - stream->avail_out =3D (outsize * 2) - outsize; - outsize *=3D 2; - } + DOMPRINTF("%s: %s decompression error: %s", + __FUNCTION__, what, msg); + free(out_buf); + goto lzma_cleanup; + } + + if ( stream->total_out !=3D outsize ) + { + DOMPRINTF("%s: got 0x%"PRIx64" bytes instead of 0x%zx", + what, stream->total_out, outsize); + free(out_buf); + goto lzma_cleanup; } =20 - if ( xc_dom_register_external(dom, out_buf, stream->total_out) ) + if ( stream->avail_in ) + DOMPRINTF("%s: Warning: %#zx unconsumed bytes", what, stream->avai= l_in); + + if ( xc_dom_register_external(dom, out_buf, outsize) ) { DOMPRINTF("%s: Error registering stream output", what); free(out_buf); @@ -322,10 +260,11 @@ static int _xc_try_lzma_decode( } =20 DOMPRINTF("%s: %s decompress OK, 0x%zx -> 0x%zx", - __FUNCTION__, what, *size, (size_t)stream->total_out); + __FUNCTION__, what, *size, outsize); =20 *blob =3D out_buf; - *size =3D stream->total_out; + *size =3D outsize; + retval =3D 0; =20 lzma_cleanup: lzma_end(stream); @@ -408,8 +347,8 @@ static int xc_try_lzo1x_decode( { int ret; const unsigned char *cur =3D dom->kernel_blob; - unsigned char *out_buf =3D NULL; - size_t left =3D dom->kernel_size, outsize; + unsigned char *out_buf; + size_t left =3D dom->kernel_size, outsize, outtot; const char *msg; unsigned version; static const unsigned char magic[] =3D { @@ -435,6 +374,15 @@ static int xc_try_lzo1x_decode( return -1; } =20 + left -=3D 4; + outtot =3D *(uint32_t *)(*blob + left); + + if ( xc_dom_kernel_check_size(dom, outtot) ) + { + DOMPRINTF("LZO1x: output too large"); + return -1; + } + /* get version (2bytes), skip library version (2), * 'need to be extracted' version (2) and method (1) */ version =3D lzo_read_16(cur + 9); @@ -471,10 +419,16 @@ static int xc_try_lzo1x_decode( cur +=3D ret; left -=3D ret; =20 + out_buf =3D malloc(outtot); + if ( !out_buf ) + { + DOMPRINTF("LZO1x: failed to alloc memory"); + return -1; + } + for ( outsize =3D 0; ; ) { lzo_uint src_len, dst_len, out_len; - unsigned char *tmp_buf; =20 msg =3D "Short input"; if ( left < 4 ) @@ -483,6 +437,13 @@ static int xc_try_lzo1x_decode( dst_len =3D lzo_read_32(cur); if ( !dst_len ) { + msg =3D "Unexpected output size"; + if ( outsize !=3D outtot ) + break; + + if ( left !=3D 4 ) + DOMPRINTF("LZO1x: Warning: %#zx unconsumed bytes", left - = 4); + msg =3D "Error registering stream output"; if ( xc_dom_register_external(dom, out_buf, outsize) ) break; @@ -514,19 +475,9 @@ static int xc_try_lzo1x_decode( break; =20 msg =3D "Output buffer overflow"; - if ( outsize > SIZE_MAX - dst_len ) - break; - - msg =3D "Decompressed image too large"; - if ( xc_dom_kernel_check_size(dom, outsize + dst_len) ) - break; - - msg =3D "Failed to (re)alloc memory"; - tmp_buf =3D realloc(out_buf, outsize + dst_len); - if ( tmp_buf =3D=3D NULL ) + if ( dst_len > outtot - outsize ) break; =20 - out_buf =3D tmp_buf; out_len =3D dst_len; =20 ret =3D lzo1x_decompress_safe(cur, src_len,