We have a couple of checks of the form:
if (offset+size > totalsize)
die();
We need to check that offset+size doesn't overflow, otherwise the check
will pass, and we may access past totalsize.
Found with AFL.
Signed-off-by: Anton Blanchard <anton@samba.org>
[Added a testcase]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
1937095 "Prevent crash on division by zero" fixed a crash when attempting
a division by zero using the / operator in a dts. However, it missed the
precisely equivalent crash with the % (modulus) operator. This patch fixes
the oversight.
Reported-by: Anton Blanchard <anton@samba.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In order to work with preprocessed dts files more easily, dts will parse
line number information in the form emitted by cpp.
Anton Blanchard (using a fuzzer) reported that including a line number
directive with a nul character (a literal nul in the input file, not a \0
sequence) would cause dtc to SEGV. I spotted several more problems on
examining the code:
* It modified yytext in place which seems to work, but is ugly and I'm
not sure if it's safe on all lex/flex versions
* The regexp used in the lexer to recognize line number information
accepts strings with escape characters, but it won't process these
escapes.
- GNU cpp at least, will generate \ escapes in line number
information, at least with files containing " or \ in the name
This patch reworks the handling of line number information to address
these problems. \ escapes should now be handled directly. nuls in file
names (either with a literal nul in the input file, or with a \0 escape
sequence) are still not permitted, but will now result in a lexical error
rather than a SEGV.
Reported-by: Anton Blanchard <anton@samba.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
If a dts file contains a string with \ followed by a nul byte - an actual
nul in the input file, not the \\0 escape - then the assert() in
get_escape_char() will trip, crashing dtc.
As far as I can tell, there isn't any valid need for this assert(), so just
remove it.
Reported-by: Anton Blanchard <anton@samba.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The code handling integer literals in dtc-lexer.l assumes that the flex
regexp means that strtoull() can't fail to interpret the string as a valid
integer (either decimal, octal, or hexadecimal). This is not true for
octals. For example '09' is accepted as a literal by the regexp,
strtoull() attempts to handle it as octal, but it has a bad digit.
This changes the code to give a more useful error in this case.
Reported-by: Anton Blanchard <anton@samba.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently, attempting to divide by zero in an integer expression in a dts
file will cause dtc to crash with a division by zero (SIGFPE).
This patch corrects this to properly detect this case and raise an error.
Reported-by: Anton Blanchard <anton@samba.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Using pointer arithmetic to generate a pointer outside a known object is,
technically, undefined behaviour in C. Unfortunately, we were using that
in fdt_offset_ptr() to detect overflows.
To fix this we need to do our bounds / overflow checking on the offsets
before constructing pointers from them.
Reported-by: David Binderman <dcb314@hotmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch catches the conditions where:
- 'splicepoint' is set to a point outside of [ fdt, fdt_totalsize(fdt) )
- 'newlen' is negative, or 'splicepoint' plus 'newlen' results in overflow
Either of these cases can be caused by math which overflows in calling
functions, or by sizes specified through dynamic means.
Signed-off-by: Courtney Cavin <courtney.cavin@sonymobile.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@sonymobile.com>
Several functions in the header file were missing from the version.lds
script, meaning that they couldn't be used from a libfdt shared library.
Reported by Ken Aaker, via github issue tracker.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The "-Werror" compiler flag is currently declared twice in the
Makefile, one time in WARNINGS, and one time in CFLAGS. Let's
remove one of them.
Signed-off-by: Thomas Huth <thuth@redhat.com>
[Moved remaining -Werror from WARNINGS to CFLAGS --dwg]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Given a device tree node, a property name and an index, the new function
fdt_stringlist_get() will return a pointer to the index'th string in the
property's value and return its length (or an error code on failure) in
an output argument.
Signed-off-by: Thierry Reding <treding@nvidia.com>
[Fix some -Wshadow warnings --dwg]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The new fdt_stringlist_search() function will look up a given string in
the list contained in the value of a named property of a given device
tree node and return its index.
Signed-off-by: Thierry Reding <treding@nvidia.com>
[Fix some -Wshadow warnings --dwg]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Given a device tree node and a property name, the fdt_stringlist_count()
function counts the number of strings found in the property value.
This also adds a new error code, FDT_ERR_BADVALUE, that the function
returns when it encounters a non-NUL-terminated string list.
Signed-off-by: Thierry Reding <treding@nvidia.com>
[Changed testcase name --dwg]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The statement "Identical to fdt_get_property_namelen() ..." does not
make sense for the comment of fdt_get_property_namelen() itself.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
On systems where 'char' is signed, fdtdump will currently print the wrong
thing on properties containing bytestring values with "negative" bytes
(that is with values from 0x80..0xff). The fdtdump testcase is extended
to cover this case too.
This corrects the problem by forcing use of unsigned char - although this
is perhaps another indication that fdtdump is a buggy hack and if you want
to do real work you should use dtc -O dts.
Reported-by: Igor Prusov <Igor.V.Prusov@mcst.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The overall test runner script, for the fdtdump tests invokes the helper
script fdtdump-runtest.sh. It then includes directly some code very
similar to fdtdump-runtest.sh, which is never reached due to a "return".
Remove the never-reached test code.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The test script includes several specific tests for the handling of aliases
in fdt_path_offset(). These are primarily tests of the fdt_path_offset()
libfdt function itself, although dtc is used to generate a test file for
convenience.
Move these from the dtc tests section to the libfdt tests section
accordingly.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This adds the .travis.yml file allowing for dtc building and testing in
the Travis Continuous Integration system.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
If no output file type is specified via the -O parameter, guess the
desired file type by looking at the file name extension.
If that provides no useful hints, assume "dtb" as long as the input
type is "dts". Any other input type will lead to "dts" being used as
the guessed output type.
Any explicit specification of the output type will skip this guessing.
Signed-off-by: Andre Przywara <osp@andrep.de>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Always needing to specify the input file format can be quite
annoying, especially since a dtb is easily detected by its magic.
Looking at the file name extension sounds useful as a hint, too.
Add heuristic file type guessing of the input file format in case
none has been specified on the command line.
The heuristics are as follows (in that order):
- Any issues with opening the file drop back to the current default
behaviour.
- A directory will be treated as the /proc/device-tree type.
- If the first 4 bytes are the DTB magic, assume "dtb".
- If no other test succeeded so far, use a file name based
guessing method: if the filename ends with .dts or .DTS, device tree
source text is assumed, .dtb or .DTB hint at a device tree blob.
For the majority of practical use cases this gets rid of the tedious
-I specification on the command line and simplifies actual typing of
dtc command lines.
Any explicit specification of the input type by using -I still avoids
any guessing, which resembles the current behaviour.
Signed-off-by: Andre Przywara <osp@andrep.de>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The -n option is not standard in POSIX, so convert to printf which should
work the same in every shell.
Signed-off-by: Mike Frysinger <vapier@chromium.org>
If you have a parent block with #size-cells improperly set to 0, and
then subsequently try to include a regs property in the child, dtc will
crash with SIGFPE while validating it. This patch fixes that crash,
instead printing the same invalid length warning that was causing it.
Test included.
Signed-off-by: Jack Miller <jack@codezen.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Paths with multiple '/' characters in a row (e.g. //somenode//somsubnode),
or trailing '/' characters (e.g. '/somenode/somesubnode/') should be
handled by fdt_path_offset(), and treated as equivalent to
/somenode/somesubnode.
Our current path_offset testcase doesn't check for these cases, so extend
it so it does.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This introduces a check_path_offset() helper function into the path_offset
testcase to simplify it. This will also make extending the test case with
tests for path_offset_namelen() and some edge cases easier.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Properties may contain path names which are not NUL-terminated.
For example, the 'stdout-path' property allows the form 'path:options',
where the ':' character terminates the path specifier.
Allow these path names to be used in-place for path descending;
add fdt_path_offset_namelen(), which limits the path name to 'namelen'
characters.
Reimplement fdt_path_offset() as a trivial wrapper.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
The commit 4e76ec7 "libfdt: Add fdt_next_subnode() to permit easy
subnode iteration" adds new functions (fdt_{first,next}_subnode) but
forgot to mark them as 'global' in the shared library.
Signed-off-by: Julien Grall <julien.grall@linaro.org>
This patch changes the dtc grammar to allow following syntax
i2cexp: &i2c2 {
...
};
Current device tree compiler allows to define multiple labels when defining
the device node the first time. Typically device nodes are defined in
DTSI files. Now these nodes can be overwritten for updating some of the
properties. Typically, device nodes are overridden in DTS files.
When working with adapter boards, most of the time adapter board can fit to
multiple base boards. But depending on which base board it is connected to,
the devices on the adapter board would be children of different devices.
e.g. On dra7-evm.dts, i2c2 is exported for expansion connector whereas
on dra72-evm.dts, i2c5 is exported for expansion connector.
This causes a problem when writing a generic device tree file for
the adapter board. Because, you cannot know whether all the devices on
adapter board are present on i2c or i2c5.
The problem can be solved by adding a common label (e.g. i2cexp) in both
of the DTS files when overriding the device nodes for i2c2 or i2c5.
This way, generic adapter board file would override the i2cexp. And
depending on which base board you use the adapter board, all the devices
are automatically added for correct device nodes.
Signed-off-by: Nikhil Devshatwar <nikhil.nd@ti.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Although on some systems va_end is a no-op, it is good practice
to use va_end, especially since the manual states:
"Each invocation of va_start() must be matched by a corresponding
invocation of va_end() in the same function."
Signed-off-by: Colin Ian King <colin.king@canonical.com>
This patch adds scripts/kup-dtc which builds a tarball from a specified git
tag, signs it and uploads to kernel.org with kup. This is useful only for
dtc maintainers.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
1) Remove the double parentheses around two comparisons in checks.c.
The OSX LLVM-based C compiler warns about them.
2) Put an explicit "=" in the TN() macro, in accordance with c99.
Signed-off-by: Phil Elwell <phil@raspberrypi.org>
The scanners of the latest version of dtc and
convert-dtsv0 are no longer use start condition
"INCLUDE". so we should delete it.
Signed-off-by: Wang Long <long.wanglong@huawei.com>
if #define DEFAULT_FDT_VERSION 17
The message
Blob version to produce, defaults to %d (for dtb and asm output)
should be
Blob version to produce, defaults to 17 (for dtb and asm output)
This patch fix it, and delete the redundant 't'.
Signed-off-by: Wang Long <long.wanglong@huawei.com>
For example:
reserved-names="res1\0res2\0res3";
Where \0 is an actual embedded NUL in the source instead of a string
escape. To achieve this, use the len given by the lexer instead of
strlen.
Without this patch dtc will mangle the output and possibly hang on
realloc.
1) No variadic macros in the form "args..."; this is a GCC extension.
2) No empty struct initializers. In any case, there is very little to win:
{ } vs. { 0 }.
Signed-off-by: Andrei Errapart <andrei@errapartengineering.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The "b" flag to fopen() is generally a no-op on Unix-like systems, but may
be important on other systems, including Windows.
Signed-off-by: Andrei Errapart <andrei@errapartengineering.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Some platforms (including the Microsoft C compiler) have char defaulting
to signed. write_propval_bytes() in the -O dts code will not behave
correctly in this case, due to sign extension.
Signed-off-by: Andrei Errapart <andrei@errapartengineering.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This has been there for ages, but the assertion makes no sense in the
context of the test immediately preceding it. This caused an abort()
when in -I dts -O dts mode with the right sort of internal labels in a
string property value.
Add a testcase for this and another candidate edge case (though this one
we already get right).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We can test fdtdump by comparing its output with the source file that was
compiled by dtc. Add a simple test that should at least catch regressions
in basic functionality.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch makes a small start on libfdt functions which actually help to
parse the contents of device trees, rather than purely manipulating the
tree's structure.
We add simple helpers to read and sanity check the #address-cells and
#size-cells values for a given node.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present, the lexer token for references to a path doesn't permit a
reference to the root node &{/}. Fixing the lexer exposes another bug
handling this case.
This patch fixes both bugs and adds testcases.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The information about the location of the source code of the
device tree compiler was inaccurate.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
fdtput.c:
Replace the remaining call to realloc by xrealloc.
Some redundant lines in encode_value can be saved.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>