qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] generic-loader: check that binary file target location ex

From: Damien Hedde
Subject: Re: [PATCH v2] generic-loader: check that binary file target location exists
Date: Tue, 2 Nov 2021 15:04:29 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.1.2 


On 11/1/21 11:53, Peter Maydell wrote:

On Tue, 26 Oct 2021 at 15:11, Damien Hedde <damien.hedde@greensocs.com> wrote:


When loading a binary file, we only check if it is smaller than the
ram_size. It does not really check if the file will be loaded at an
existing location (if there is nothing at the target address, it will
"fail" silently later). It prevents loading a binary blob bigger than
ram_size too even if the target location is big enough.

Replace this check by looking for the target memory region size and
prevent loading a bigger file than the available space.

Get rid of "hw/boards.h" include, since we needed it only to access
`current_machine`.

Signed-off-by: Damien Hedde <damien.hedde@greensocs.com>
---

Hi,

This is an updated version implementing what we discussed in v1.

This can be tested easily, eg, using opentitan machine which has a 64K ram
located at 0x10000000.

the following works (we a blob corresponding to the whole ram)
| $ dd bs=1K count=64 if=/dev/zero of=blob.bin
| $ qemu-system-riscv32 -display none -M opentitan -device 
loader,addr=0x10000000,file=blob.bin

but this command fails because we load a blob which is too big
| $ dd bs=1K count=64 if=/dev/zero of=blob.bin
| $ qemu-system-riscv32 -display none -M opentitan -device 
loader,addr=0x10001000,file=blob.bin
| qemu-system-riscv32: -device loader,addr=0x10001000,file=blob.bin: Cannot 
load specified image blob.bin

and this command fails too (we load a blob at an unmapped location)
| $ dd bs=1K count=64 if=/dev/zero of=blob.bin
| $ qemu-system-riscv32 -display none -M opentitan -device 
loader,addr=0x0,file=blob.bin
| qemu-system-riscv32: -device loader,addr=0x0,file=blob.bin: Address 0x0 does 
not exists

Thanks,
Damien

v2:
  + instead of disabling the ram_size check, look for the target

v1: https://lists.nongnu.org/archive/html/qemu-devel/2021-10/msg01077.html

See also the original discussion about generic-loader:
https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg04668.html
https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg04681.html
---
  hw/core/generic-loader.c | 20 +++++++++++++++++---
  1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/hw/core/generic-loader.c b/hw/core/generic-loader.c
index d14f932eea..88d3f9fd56 100644
--- a/hw/core/generic-loader.c
+++ b/hw/core/generic-loader.c
@@ -34,7 +34,6 @@
  #include "hw/core/cpu.h"
  #include "sysemu/dma.h"
  #include "sysemu/reset.h"
-#include "hw/boards.h"
  #include "hw/loader.h"
  #include "hw/qdev-properties.h"
  #include "qapi/error.h"
@@ -153,8 +152,23 @@ static void generic_loader_realize(DeviceState *dev, Error 
**errp)
          }

          if (size < 0 || s->force_raw) {
-            /* Default to the maximum size being the machine's ram size */
-            size = load_image_targphys_as(s->file, s->addr, 
current_machine->ram_size, as);
+            MemoryRegion *root = as ? as->root : get_system_memory();
+            MemoryRegionSection mrs;
+            uint64_t avail = 0;
+
+            mrs = memory_region_find(root, s->addr, 1);
+
+            if (mrs.mr) {
+                avail = int128_get64(mrs.mr->size) - mrs.offset_within_region;
+                memory_region_unref(mrs.mr);
+            } else {
+                error_setg(errp, "Address 0x%" PRIx64 " does not exists",
+                           s->addr);
+                return;
+            }


Won't this break the case of loading a file that spans two
consecutive-but-different memory regions ?


yes. I did not thought about that.


                                           I think if we want
to catch "we tried to load something to an address not backed
by something" we should do that by making load_image_targetphys_as()
correctly handle errors from the memory accesses it makes and
propagate an error-return to the caller.
The problem is that load_image_targetphys_as() just uses rom_load_...(). And these macros/functions only put some "rom to load" objects in a list without doing any real accesses. 

The list is checked after against overlapping between "rom to load" objects.
But the real writing is done during reset, and any bad access is silently ignored. 

In consequence:
+ it is possible for the memory structure to be populated (or even changed) between rom_load..() calls and real writing. 
+ we ignore missing parts

I do not know if we make an actual use of these "features".
I'm not sure what will be the best course of action here in order to do the checks in rom_load_...(). 

Thanks,
Damien
reply via email to
[Prev in Thread] Current Thread [Next in Thread]