coreboot-kgpe-d16/payloads/libpayload/libcbfs/cbfs_core.c
Julius Werner 55ffccfbae libpayload: cbfs: Fix minor memory leak in some edge cases
cbfs_get_handle() allocates memory for a handle and doesn't free it if
it errors out later, leaving the memory permanently leaked. Fix.

Change-Id: Ide198105ce3ad6237672ff152b4490c768909564
Reported-by: Coverity
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/16207
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins)
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
2016-08-12 22:52:22 +02:00

344 lines
10 KiB
C

/*
* This file is part of the libpayload project.
*
* Copyright (C) 2011 secunet Security Networks AG
* Copyright (C) 2013 Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* The CBFS core requires a couple of #defines or functions to adapt it to the
* target environment:
*
* CBFS_CORE_WITH_LZMA (must be #define)
* if defined, ulzma() must exist for decompression of data streams
*
* CBFS_CORE_WITH_LZ4 (must be #define)
* if defined, ulz4f() must exist for decompression of data streams
*
* ERROR(x...)
* print an error message x (in printf format)
*
* LOG(x...)
* print a message x (in printf format)
*
* DEBUG(x...)
* print a debug message x (in printf format)
*
*/
#include <cbfs.h>
#include <string.h>
#include <sysinfo.h>
/* returns a pointer to CBFS master header, or CBFS_HEADER_INVALID_ADDRESS
* on failure */
const struct cbfs_header *cbfs_get_header(struct cbfs_media *media)
{
int32_t rel_offset;
const struct cbfs_header *header;
struct cbfs_media default_media;
if (media == CBFS_DEFAULT_MEDIA) {
media = &default_media;
if (init_default_cbfs_media(media) != 0) {
ERROR("Failed to initialize default media.\n");
return CBFS_HEADER_INVALID_ADDRESS;
}
}
media->open(media);
if (!media->read(media, &rel_offset, (size_t)(0 - sizeof(int32_t)),
sizeof(int32_t))) {
ERROR("Could not read CBFS master header offset!\n");
return CBFS_HEADER_INVALID_ADDRESS;
}
header = media->map(media, (size_t)rel_offset, sizeof(*header));
DEBUG("CBFS header at %#zx (-%#zx from end of image).\n",
(size_t)rel_offset, (size_t)-rel_offset);
media->close(media);
if (header == CBFS_MEDIA_INVALID_MAP_ADDRESS) {
ERROR("Failed to load CBFS header from %#zx(-%#zx)\n",
(size_t)rel_offset, (size_t)-rel_offset);
return CBFS_HEADER_INVALID_ADDRESS;
}
if (CBFS_HEADER_MAGIC != ntohl(header->magic)) {
ERROR("Could not find valid CBFS master header at %#zx(-%#zx): "
"magic %#.8x vs %#.8x.\n", (size_t)rel_offset,
(size_t)-rel_offset, CBFS_HEADER_MAGIC,
ntohl(header->magic));
if (header->magic == 0xffffffff) {
ERROR("Maybe ROM is not mapped properly?\n");
}
return CBFS_HEADER_INVALID_ADDRESS;
}
return header;
}
static int get_cbfs_range(uint32_t *offset, uint32_t *cbfs_end,
struct cbfs_media *media)
{
const struct cbfs_header *header;
if (media == CBFS_DEFAULT_MEDIA &&
lib_sysinfo.cbfs_offset && lib_sysinfo.cbfs_size) {
*offset = lib_sysinfo.cbfs_offset;
*cbfs_end = *offset + lib_sysinfo.cbfs_size;
return 0;
}
/* read offset and size from cbfs master header */
DEBUG("Read CBFS offset & size from master header\n");
header = cbfs_get_header(media);
if (header == CBFS_HEADER_INVALID_ADDRESS)
return -1;
// Logical offset (for source media) of first file.
*offset = ntohl(header->offset);
*cbfs_end = ntohl(header->romsize);
#if IS_ENABLED(CONFIG_LP_ARCH_X86)
// resolve actual length of ROM used for CBFS components
// the bootblock size was not taken into account
*cbfs_end -= ntohl(header->bootblocksize);
// fine tune the length to handle alignment positioning.
// using (bootblock size) % align, to derive the
// number of bytes the bootblock is off from the alignment size.
if ((ntohl(header->bootblocksize) % CBFS_ALIGNMENT))
*cbfs_end -= (CBFS_ALIGNMENT -
(ntohl(header->bootblocksize) % CBFS_ALIGNMENT));
else
*cbfs_end -= 1;
#endif
return 0;
}
/* public API starts here*/
struct cbfs_handle *cbfs_get_handle(struct cbfs_media *media, const char *name)
{
const char *vardata;
uint32_t offset, cbfs_end, vardata_len;
struct cbfs_file file;
struct cbfs_handle *handle = malloc(sizeof(*handle));
if (!handle)
return NULL;
if (get_cbfs_range(&offset, &cbfs_end, media)) {
ERROR("Failed to find cbfs range\n");
free(handle);
return NULL;
}
if (media == CBFS_DEFAULT_MEDIA) {
media = &handle->media;
if (init_default_cbfs_media(media) != 0) {
ERROR("Failed to initialize default media.\n");
free(handle);
return NULL;
}
} else {
memcpy(&handle->media, media, sizeof(*media));
}
DEBUG("CBFS location: 0x%x~0x%x\n", offset, cbfs_end);
DEBUG("Looking for '%s' starting from 0x%x.\n", name, offset);
media->open(media);
while (offset < cbfs_end &&
media->read(media, &file, offset, sizeof(file)) == sizeof(file)) {
if (memcmp(CBFS_FILE_MAGIC, file.magic,
sizeof(file.magic)) != 0) {
uint32_t new_align = CBFS_ALIGNMENT;
if (offset % CBFS_ALIGNMENT)
new_align += CBFS_ALIGNMENT -
(offset % CBFS_ALIGNMENT);
ERROR("ERROR: No file header found at 0x%xx - "
"try next aligned address: 0x%x.\n", offset,
offset + new_align);
offset += new_align;
continue;
}
vardata_len = ntohl(file.offset) - sizeof(file);
DEBUG(" - load entry 0x%x variable data (%d bytes)...\n",
offset, vardata_len);
// load file name (arbitrary length).
vardata = (const char*)media->map(
media, offset + sizeof(file), vardata_len);
if (vardata == CBFS_MEDIA_INVALID_MAP_ADDRESS) {
ERROR("ERROR: Failed to get filename: 0x%x.\n", offset);
} else if (strcmp(vardata, name) == 0) {
int file_offset = ntohl(file.offset),
file_len = ntohl(file.len);
DEBUG("Found file (offset=0x%x, len=%d).\n",
offset + file_offset, file_len);
media->unmap(media, vardata);
media->close(media);
handle->type = ntohl(file.type);
handle->media_offset = offset;
handle->content_offset = file_offset;
handle->content_size = file_len;
handle->attribute_offset =
ntohl(file.attributes_offset);
return handle;
} else {
DEBUG(" (unmatched file @0x%x: %s)\n", offset,
vardata);
media->unmap(media, vardata);
}
// Move to next file.
offset += ntohl(file.len) + ntohl(file.offset);
if (offset % CBFS_ALIGNMENT)
offset += CBFS_ALIGNMENT - (offset % CBFS_ALIGNMENT);
}
media->close(media);
LOG("WARNING: '%s' not found.\n", name);
free(handle);
return NULL;
}
void *cbfs_get_contents(struct cbfs_handle *handle, size_t *size, size_t limit)
{
struct cbfs_media *m = &handle->media;
size_t on_media_size = handle->content_size;
int algo = CBFS_COMPRESS_NONE;
void *ret = NULL;
size_t dummy_size;
if (!size)
size = &dummy_size;
struct cbfs_file_attr_compression *comp =
cbfs_get_attr(handle, CBFS_FILE_ATTR_TAG_COMPRESSION);
if (comp) {
algo = ntohl(comp->compression);
DEBUG("File '%s' is compressed (alg=%d)\n", name, algo);
*size = ntohl(comp->decompressed_size);
/* TODO: Implement partial decompression with |limit| */
}
if (algo == CBFS_COMPRESS_NONE) {
if (limit != 0 && limit < on_media_size) {
*size = limit;
on_media_size = limit;
} else {
*size = on_media_size;
}
}
void *data = m->map(m, handle->media_offset + handle->content_offset,
on_media_size);
if (data == CBFS_MEDIA_INVALID_MAP_ADDRESS)
return NULL;
ret = malloc(*size);
if (ret != NULL && !cbfs_decompress(algo, data, ret, *size)) {
free(ret);
ret = NULL;
}
m->unmap(m, data);
return ret;
}
void *cbfs_get_file_content(struct cbfs_media *media, const char *name,
int type, size_t *sz)
{
void *ret = NULL;
struct cbfs_handle *handle = cbfs_get_handle(media, name);
if (!handle)
return NULL;
if (handle->type == type)
ret = cbfs_get_contents(handle, sz, 0);
else
ERROR("File '%s' is of type %x, but we requested %x.\n", name,
handle->type, type);
free(handle);
return ret;
}
void *cbfs_get_attr(struct cbfs_handle *handle, uint32_t tag)
{
struct cbfs_media *m = &handle->media;
uint32_t offset = handle->media_offset + handle->attribute_offset;
uint32_t end = handle->media_offset + handle->content_offset;
struct cbfs_file_attribute attr;
void *ret;
/* attribute_offset should be 0 when there is no attribute, but all
* values that point into the cbfs_file header are invalid, too. */
if (handle->attribute_offset <= sizeof(struct cbfs_file))
return NULL;
m->open(m);
while (offset + sizeof(attr) <= end) {
if (m->read(m, &attr, offset, sizeof(attr)) != sizeof(attr)) {
ERROR("Failed to read attribute header %#x\n", offset);
m->close(m);
return NULL;
}
if (ntohl(attr.tag) != tag) {
offset += ntohl(attr.len);
continue;
}
ret = m->map(m, offset, ntohl(attr.len));
if (ret == CBFS_MEDIA_INVALID_MAP_ADDRESS) {
ERROR("Failed to map attribute at %#x\n", offset);
m->close(m);
return NULL;
}
return ret;
}
m->close(m);
return NULL;
}
int cbfs_decompress(int algo, void *src, void *dst, int len)
{
switch (algo) {
case CBFS_COMPRESS_NONE:
memcpy(dst, src, len);
return len;
#ifdef CBFS_CORE_WITH_LZMA
case CBFS_COMPRESS_LZMA:
return ulzma(src, dst);
#endif
#ifdef CBFS_CORE_WITH_LZ4
case CBFS_COMPRESS_LZ4:
return ulz4f(src, dst);
#endif
default:
ERROR("tried to decompress %d bytes with algorithm #%x,"
"but that algorithm id is unsupported.\n", len,
algo);
return 0;
}
}