1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
|
/*
* Copyright 2010, Google LLC.
* Copyright 2018-present, Facebook Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.
* * Neither the name of Google Inc. nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* Alternatively, this software may be distributed under the terms of the
* GNU General Public License ("GPL") version 2 as published by the Free
* Software Foundation.
*/
#include <ctype.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include "flash.h"
#include "fmap.h"
static size_t fmap_size(const struct fmap *fmap)
{
return sizeof(*fmap) + (fmap->nareas * sizeof(struct fmap_area));
}
static int is_valid_fmap(const struct fmap *fmap)
{
if (memcmp(fmap, FMAP_SIGNATURE, strlen(FMAP_SIGNATURE)) != 0)
return 0;
/* strings containing the magic tend to fail here */
if (fmap->ver_major > FMAP_VER_MAJOR)
return 0;
if (fmap->ver_minor > FMAP_VER_MINOR)
return 0;
/* a basic consistency check: flash address space size should be larger
* than the size of the fmap data structure */
if (fmap->size < fmap_size(fmap))
return 0;
/* fmap-alikes along binary data tend to fail on having a valid,
* null-terminated string in the name field.*/
int i;
for (i = 0; i < FMAP_STRLEN; i++) {
if (fmap->name[i] == 0)
break;
if (!isgraph(fmap->name[i]))
return 0;
if (i == FMAP_STRLEN - 1) {
/* name is specified to be null terminated single-word string
* without spaces. We did not break in the 0 test, we know it
* is a printable spaceless string but we're seeing FMAP_STRLEN
* symbols, which is one too many.
*/
return 0;
}
}
return 1;
}
/**
* @brief Do a brute-force linear search for fmap in provided buffer
*
* @param[in] buffer The buffer to search
* @param[in] len Length (in bytes) to search
*
* @return offset in buffer where fmap is found if successful
* -1 to indicate that fmap was not found
* -2 to indicate fmap is truncated or exceeds buffer + len
*/
static off_t fmap_lsearch(const uint8_t *buf, size_t len)
{
off_t offset;
bool fmap_found = 0;
for (offset = 0; offset <= (off_t)(len - sizeof(struct fmap)); offset++) {
if (is_valid_fmap((struct fmap *)&buf[offset])) {
fmap_found = 1;
break;
}
}
if (!fmap_found)
return -1;
if (offset + fmap_size((struct fmap *)&buf[offset]) > len) {
msg_gerr("fmap size exceeds buffer boundary.\n");
return -2;
}
return offset;
}
/**
* @brief Read fmap from provided buffer and copy it to fmap_out
*
* @param[out] fmap_out Double-pointer to location to store fmap contents.
* Caller must free allocated fmap contents.
* @param[in] buf Buffer to search
* @param[in] len Length (in bytes) to search
*
* @return 0 if successful
* 1 to indicate error
* 2 to indicate fmap is not found
*/
int fmap_read_from_buffer(struct fmap **fmap_out, const uint8_t *const buf, size_t len)
{
off_t offset = fmap_lsearch(buf, len);
if (offset < 0) {
msg_gdbg("Unable to find fmap in provided buffer.\n");
return 2;
}
msg_gdbg("Found fmap at offset 0x%06zx\n", (size_t)offset);
const struct fmap *fmap = (const struct fmap *)(buf + offset);
*fmap_out = malloc(fmap_size(fmap));
if (*fmap_out == NULL) {
msg_gerr("Out of memory.\n");
return 1;
}
memcpy(*fmap_out, fmap, fmap_size(fmap));
return 0;
}
static int fmap_lsearch_rom(struct fmap **fmap_out,
struct flashctx *const flashctx, size_t rom_offset, size_t len)
{
int ret = -1;
uint8_t *buf;
if (prepare_flash_access(flashctx, true, false, false, false))
goto _finalize_ret;
/* likely more memory than we need, but it simplifies handling and
* printing offsets to keep them uniform with what's on the ROM */
buf = malloc(rom_offset + len);
if (!buf) {
msg_gerr("Out of memory.\n");
goto _finalize_ret;
}
ret = flashctx->chip->read(flashctx, buf + rom_offset, rom_offset, len);
if (ret) {
msg_pdbg("Cannot read ROM contents.\n");
goto _free_ret;
}
ret = fmap_read_from_buffer(fmap_out, buf + rom_offset, len);
_free_ret:
free(buf);
_finalize_ret:
finalize_flash_access(flashctx);
return ret;
}
static int fmap_bsearch_rom(struct fmap **fmap_out, struct flashctx *const flashctx,
size_t rom_offset, size_t len, size_t min_stride)
{
size_t stride, fmap_len = 0;
int ret = 1, fmap_found = 0, check_offset_0 = 1;
struct fmap *fmap;
const unsigned int chip_size = flashctx->chip->total_size * 1024;
const int sig_len = strlen(FMAP_SIGNATURE);
if (rom_offset + len > flashctx->chip->total_size * 1024)
return 1;
if (len < sizeof(*fmap))
return 1;
if (prepare_flash_access(flashctx, true, false, false, false))
return 1;
fmap = malloc(sizeof(*fmap));
if (!fmap) {
msg_gerr("Out of memory.\n");
goto _free_ret;
}
/*
* For efficient operation, we start with the largest stride possible
* and then decrease the stride on each iteration. Also, check for a
* remainder when modding the offset with the previous stride. This
* makes it so that each offset is only checked once.
*
* Zero (rom_offset == 0) is a special case and is handled using a
* variable to track whether or not we've checked it.
*/
size_t offset;
for (stride = chip_size / 2; stride >= min_stride; stride /= 2) {
if (stride > len)
continue;
for (offset = rom_offset;
offset <= rom_offset + len - sizeof(struct fmap);
offset += stride) {
if ((offset % (stride * 2) == 0) && (offset != 0))
continue;
if (offset == 0 && !check_offset_0)
continue;
check_offset_0 = 0;
/* Read errors are considered non-fatal since we may
* encounter locked regions and want to continue. */
if (flashctx->chip->read(flashctx, (uint8_t *)fmap, offset, sig_len)) {
/*
* Print in verbose mode only to avoid excessive
* messages for benign errors. Subsequent error
* prints should be done as usual.
*/
msg_cdbg("Cannot read %d bytes at offset %zu\n", sig_len, offset);
continue;
}
if (memcmp(fmap, FMAP_SIGNATURE, sig_len) != 0)
continue;
if (flashctx->chip->read(flashctx, (uint8_t *)fmap + sig_len,
offset + sig_len, sizeof(*fmap) - sig_len)) {
msg_cerr("Cannot read %zu bytes at offset %06zx\n",
sizeof(*fmap) - sig_len, offset + sig_len);
continue;
}
if (is_valid_fmap(fmap)) {
msg_gdbg("fmap found at offset 0x%06zx\n", offset);
fmap_found = 1;
break;
}
msg_gerr("fmap signature found at %zu but header is invalid.\n", offset);
ret = 2;
}
if (fmap_found)
break;
}
if (!fmap_found)
goto _free_ret;
fmap_len = fmap_size(fmap);
struct fmap *tmp = fmap;
fmap = realloc(fmap, fmap_len);
if (!fmap) {
msg_gerr("Failed to realloc.\n");
free(tmp);
goto _free_ret;
}
if (flashctx->chip->read(flashctx, (uint8_t *)fmap + sizeof(*fmap),
offset + sizeof(*fmap), fmap_len - sizeof(*fmap))) {
msg_cerr("Cannot read %zu bytes at offset %06zx\n",
fmap_len - sizeof(*fmap), offset + sizeof(*fmap));
/* Treat read failure to be fatal since this
* should be a valid, usable fmap. */
ret = 2;
goto _free_ret;
}
*fmap_out = fmap;
ret = 0;
_free_ret:
if (ret)
free(fmap);
finalize_flash_access(flashctx);
return ret;
}
/**
* @brief Read fmap from ROM
*
* @param[out] fmap_out Double-pointer to location to store fmap contents.
* Caller must free allocated fmap contents.
* @param[in] flashctx Flash context
* @param[in] rom_offset Offset in ROM to begin search
* @param[in] len Length to search relative to rom_offset
*
* @return 0 on success,
* 2 if the fmap couldn't be read,
* 1 on any other error.
*/
int fmap_read_from_rom(struct fmap **fmap_out,
struct flashctx *const flashctx, size_t rom_offset, size_t len)
{
int ret;
if (!flashctx || !flashctx->chip)
return 1;
/*
* Binary search is used at first to see if we can find an fmap quickly
* in a usual location (often at a power-of-2 offset). However, once we
* reach a small enough stride the transaction overhead will reverse the
* speed benefit of using bsearch at which point we need to use brute-
* force instead.
*
* TODO: Since flashrom is often used with high-latency external
* programmers we should not be overly aggressive with bsearch.
*/
ret = fmap_bsearch_rom(fmap_out, flashctx, rom_offset, len, 256);
if (ret) {
msg_gdbg("Binary search failed, trying linear search...\n");
ret = fmap_lsearch_rom(fmap_out, flashctx, rom_offset, len);
}
return ret;
}
|