If libfdt returns -FDT_ERR_INTERNAL that generally indicates a bug in the
library. Add a new assumption for these cases since it should be save to
disable these checks regardless of the input.
Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20200302190255.51426-3-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add a little more detail in a few of these comments.
Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20200302190255.51426-2-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Fix 'saftey' and 'additional' typos noticed in the assumption series.
Reword the ASSUME_NO_ROLLBACK slightly to improve clarity.
Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20200302190255.51426-1-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add a new ASSUME_MASK option, which allows for some control over the
checks used in libfdt. With all assumptions enabled, libfdt assumes that
the input data and parameters are all correct and that internal errors
cannot happen.
By default no assumptions are made and all checks are enabled.
Signed-off-by: Simon Glass <sjg@chromium.org>
Message-Id: <20200220214557.176528-3-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This function returns an int32_t, however the prototype in
libfdt_internal.h shows it returning an int. We haven't caught this before
because they're the same type on nearly all platforms this gets built on.
Apparently it's not the case on FreeRTOS, so someone hit this mismatch
building for that platform.
Reported-by: dharani kumar <dharanikumarsrvn@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In libfdt we often sanity test fdt_totalsize(fdt) fairly early, then
trust it (but *only* that header field) for the remainder of our work.
However, Coverity gets confused by this - it sees the byteswap in
fdt32_ld() and assumes that means it is coming from an untrusted source
everytime, resulting in many tainted data warnings.
Most of these end up with logic in fdt_get_string() as the unsafe
destination for this tainted data, so let's tweak the logic there to make
it clearer to Coverity that this is ok.
We add a sanity test on fdt_totalsize() to fdt_probe_ro_(). Because the
interface allows bare ints to be used for offsets, we already have the
assumption that totalsize must be 31-bits or less (2GiB would be a
ludicrously large fdt). This makes this more explicit.
We also make fdt_probe_ro() return the size for convenience, and change the
logic in fdt_get_string() to keep it in a local so that Coverity can see
that it has already been bounds-checked.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Replace instances of dual GPLv2 or BSD license boilerplate with SPDX tags.
Signed-off-by: Rob Herring <robh@kernel.org>
Message-Id: <20190620211944.9378-3-robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Many of the libfdt entry points call some sort of sanity check function
before doing anything else. These need to do slightly different things for
the various classes of functions.
The read-only version is shared with the exported fdt_check_header(), which
limits us a bit in how we can improve it. For that reason split the two
functions apart (though the exported one just calls the ro one for now).
We also rename the functions for more consistency - they're all named
fdt_XX_probe_() where the XX indicates which class of functions they're
for. "probe" is a better "term" than the previous check, since they really
only do minimal validation.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
In a lot of places libfdt uses a leading _ character to mark an identifier
as "internal" (not part of the published libfdt API). This is a bad idea,
because identifiers with a leading _ are generally reserved by the C
library or system. It's particularly dangerous for libfdt, because it's
designed to be able to be integrated into lots of different environments.
In some cases the leading _ has no purpose, so we simply drop it. In most
cases we move it to the end, as our new convention for marking internal
identifiers.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
FDT_CHECK_HEADER declares an internal variable named "err" whose name is
far too generic and will produce the following -Wshadow warnings:
libfdt/fdt_ro.c: In function 'fdt_node_offset_by_compatible':
libfdt/fdt_ro.c:555:2: error: declaration of 'err' shadows a previous
local [-Werror=shadow]
libfdt/fdt_ro.c:553:14: error: shadowed declaration is here
[-Werror=shadow]
cc1: all warnings being treated as errors
Since this variable is only used internally in the macro, rename to
__err which should be prefixed enough not to cause new shadow warnings.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
For ages, we've been talking about adding functions to libfdt to allow
iteration through properties. So, finally, here are some.
I got bogged down on this for a long time because I didn't want to
expose offsets directly to properties to the callers. But without
that, attempting to make reasonable iteration functions just became
horrible. So eventually, I settled on an interface which does now
expose property offsets. fdt_first_property_offset() and
fdt_next_property_offset() are used to step through the offsets of the
properties starting from a particularly node offset. The details of
the property at each offset can then be retrieved with either
fdt_get_property_by_offset() or fdt_getprop_by_offset() which have
interfaces similar to fdt_get_property() and fdt_getprop()
respectively.
No explicit testcases are included, but we do use the new functions to
reimplement the existing fdt_get_property() function.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently, callers of fdt_next_tag() must usually follow the call with
some sort of call to fdt_offset_ptr() to verify that the blob isn't
truncated in the middle of the tag data they're going to process.
This is a bit silly, since fdt_next_tag() generally has to call
fdt_offset_ptr() on at least some of the data following the tag for
its own operation.
This patch alters fdt_next_tag() to always use fdt_offset_ptr() to
verify the data between its starting offset and the offset it returns
in nextoffset. This simplifies fdt_get_property() which no longer has
to verify itself that the property data is all present.
At the same time, I neaten and clarify the error handling for
fdt_next_tag(). Previously, fdt_next_tag() could return -1 instead of
a tag value in some circumstances - which almost none of the callers
checked for. Also, fdt_next_tag() could return FDT_END either because
it encountered an FDT_END tag, or because it reached the end of the
structure block - no way was provided to tell between these cases.
With this patch, fdt_next_tag() always returns FDT_END with a negative
value in nextoffset for an error. This means the several places which
loop looking for FDT_END will still work correctly - they only need to
check for errors at the end. The errors which fdt_next_tag() can
report are:
- -FDT_ERR_TRUNCATED if it reached the end of the structure
block instead of finding a tag.
- -FDT_BADSTRUCTURE if a bad tag was encountered, or if the
tag data couldn't be verified with fdt_offset_ptr().
This patch also updates the callers of fdt_next_tag(), where
appropriate, to make use of the new error reporting.
Finally, the prototype for the long gone _fdt_next_tag() is removed
from libfdt_internal.h.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
libfdt is supposed to easy to embed in projects all and sundry.
Often, it won't be practical to separate the embedded libfdt's
namespace from that of the surrounding project. Which means there can
be namespace conflicts between even libfdt's internal/static functions
and functions or macros coming from the surrounding project's headers
via libfdt_env.h.
This patch, therefore, renames a bunch of libfdt internal functions
and macros and makes a few other chances to reduce the chances of
namespace collisions with embedding projects. Specifically:
- Internal functions (even static ones) are now named _fdt_*()
- The type and (static) global for the error table in
fdt_strerror() gain an fdt_ prefix
- The unused macro PALIGN is removed
- The memeq and streq macros are removed and open-coded in the
users (they were only used once each)
- Other macros gain an FDT_ prefix
- To save some of the bulk from the previous change, an
FDT_TAGALIGN() macro is introduced, where FDT_TAGALIGN(x) ==
FDT_ALIGN(x, FDT_TAGSIZE)
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Enabling -Wcast-qual warnings in dtc shows up a number of places where
we are incorrectly discarding a const qualification. There are also
some places where we are intentionally discarding the 'const', and we
need an ugly cast through uintptr_t to suppress the warning. However,
most of these are pretty well isolated with the *_w() functions. So
in the interests of maximum safety with const qualifications, this
patch enables the warnings and fixes the existing complaints.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch turns on the -Wpointer-arith option in the dtc Makefile,
and fixes the resulting warnings due to using (void *) in pointer
arithmetic. While convenient, pointer arithmetic on void * is not
portable, so it's better that we avoid it, particularly in libfdt.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch makes a couple of small cleanups to parameter checking of
libfdt functions.
- In several functions which take a node offset, we use an
idiom involving fdt_next_tag() first to check that we have indeed been
given a node offset. This patch adds a helper function
_fdt_check_node_offset() to encapsulate this usage of fdt_next_tag().
- In fdt_rw.c in several places we have the expanded version
of the RW_CHECK_HEADER() macro for no particular reason. This patch
replaces those instances with an invocation of the macro; that's what
it's for.
- In fdt_sw.c we rename the check_header_sw() function to
sw_check_header() to match the analgous function in fdt_rw.c, and we
provide an SW_CHECK_HEADER() wrapper macro as RW_CHECK_HEADER()
functions in fdt_rw.c
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently the CHECK_HEADER() macro is defined local to fdt_ro.c.
However, there are a handful of functions (fdt_move, rw_check_header,
fdt_open_into) from other files which could also use it (currently
they open-code something more-or-less identical). Therefore, this
patch moves CHECK_HEADER() to libfdt_internal.h and uses it in those
places.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
It's potentially useful for users of libfdt to sanity check a device
tree (or, rather, a blob of data which may or may not be a device
tree) before processing it in more detail with libfdt.
This patch renames the libfdt internal function _fdt_check_header() to
fdt_check_header() and makes it a published function, so it can now be
used for this purpose.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch adds functions to libfdt for accessing the memory
reservation map section of a device tree blob. fdt_num_mem_rsv()
retreives the number of reservation entries in a dtb, and
fdt_get_mem_rsv() retreives a specific reservation entry.
fdt_add_mem_rsv() adds a new entry, and fdt_del_mem_rsv() removes a
specific numbered entry.
Testcases for these new functions are also included.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
