Commit 522ab0f2 authored by Ard Biesheuvel's avatar Ard Biesheuvel Committed by Kamal Mostafa

arm64: mm: avoid fdt_check_header() before the FDT is fully mapped

BugLink: http://bugs.launchpad.net/bugs/1615620

commit 04a84810 upstream.

As reported by Zijun, the fdt_check_header() call in __fixmap_remap_fdt()
is not safe since it is not guaranteed that the FDT header is mapped
completely. Due to the minimum alignment of 8 bytes, the only fields we
can assume to be mapped are 'magic' and 'totalsize'.

Since the OF layer is in charge of validating the FDT image, and we are
only interested in making reasonably sure that the size field contains
a meaningful value, replace the fdt_check_header() call with an explicit
comparison of the magic field's value against the expected value.
Reported-by: default avatarZijun Hu <zijun_hu@htc.com>
Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarTim Gardner <tim.gardner@canonical.com>
Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
parent 3b86437b
...@@ -658,9 +658,9 @@ void *__init fixmap_remap_fdt(phys_addr_t dt_phys) ...@@ -658,9 +658,9 @@ void *__init fixmap_remap_fdt(phys_addr_t dt_phys)
/* /*
* Check whether the physical FDT address is set and meets the minimum * Check whether the physical FDT address is set and meets the minimum
* alignment requirement. Since we are relying on MIN_FDT_ALIGN to be * alignment requirement. Since we are relying on MIN_FDT_ALIGN to be
* at least 8 bytes so that we can always access the size field of the * at least 8 bytes so that we can always access the magic and size
* FDT header after mapping the first chunk, double check here if that * fields of the FDT header after mapping the first chunk, double check
* is indeed the case. * here if that is indeed the case.
*/ */
BUILD_BUG_ON(MIN_FDT_ALIGN < 8); BUILD_BUG_ON(MIN_FDT_ALIGN < 8);
if (!dt_phys || dt_phys % MIN_FDT_ALIGN) if (!dt_phys || dt_phys % MIN_FDT_ALIGN)
...@@ -688,7 +688,7 @@ void *__init fixmap_remap_fdt(phys_addr_t dt_phys) ...@@ -688,7 +688,7 @@ void *__init fixmap_remap_fdt(phys_addr_t dt_phys)
create_mapping(round_down(dt_phys, SWAPPER_BLOCK_SIZE), dt_virt_base, create_mapping(round_down(dt_phys, SWAPPER_BLOCK_SIZE), dt_virt_base,
SWAPPER_BLOCK_SIZE, prot); SWAPPER_BLOCK_SIZE, prot);
if (fdt_check_header(dt_virt) != 0) if (fdt_magic(dt_virt) != FDT_MAGIC)
return NULL; return NULL;
size = fdt_totalsize(dt_virt); size = fdt_totalsize(dt_virt);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment