From: Rafał Miłecki Date: Sat, 12 May 2018 21:34:43 +0000 (+0200) Subject: kernel: use accepted version of bcm47xxpart fix commit X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=7b54d52a443e7f8a9a0ce23003b42dcab5f64f96;p=openwrt%2Fstaging%2Fhauke.git kernel: use accepted version of bcm47xxpart fix commit Signed-off-by: Rafał Miłecki (cherry picked from commit 404508001e9f2bbf09fc4c4027cf16b8720124db) --- diff --git a/target/linux/generic/patches-4.4/042-v4.18-0009-mtd-bcm47xxpart-improve-handling-TRX-partition-size.patch b/target/linux/generic/patches-4.4/042-v4.18-0009-mtd-bcm47xxpart-improve-handling-TRX-partition-size.patch new file mode 100644 index 0000000000..eb3f9bdfc8 --- /dev/null +++ b/target/linux/generic/patches-4.4/042-v4.18-0009-mtd-bcm47xxpart-improve-handling-TRX-partition-size.patch @@ -0,0 +1,70 @@ +From 237ea0d4762cc14d0fc80e80d61f0f08e1050c7f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Thu, 12 Apr 2018 07:24:52 +0200 +Subject: [PATCH] mtd: bcm47xxpart: improve handling TRX partition size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When bcm47xxpart finds a TRX partition (container) it's supposed to jump +to the end of it and keep looking for more partitions. TRX and its +subpartitions are handled by a separate parser. + +The problem with old code was relying on the length specified in a TRX +header. That isn't reliable as TRX is commonly modified to have checksum +cover only non-changing subpartitions. Otherwise modifying e.g. a rootfs +would result in CRC32 mismatch and bootloader refusing to boot a +firmware. + +Fix it by trying better to figure out a real TRX size. We can securely +assume that TRX has to cover all subpartitions and the last one is at +least of a block size in size. Then compare it with a length field. + +This makes code more optimal & reliable thanks to skipping data that +shouldn't be parsed. + +Signed-off-by: Rafał Miłecki +Signed-off-by: Boris Brezillon +--- + drivers/mtd/bcm47xxpart.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/bcm47xxpart.c ++++ b/drivers/mtd/bcm47xxpart.c +@@ -268,6 +268,8 @@ static int bcm47xxpart_parse(struct mtd_ + /* TRX */ + if (buf[0x000 / 4] == TRX_MAGIC) { + struct trx_header *trx; ++ uint32_t last_subpart; ++ uint32_t trx_size; + + if (trx_num >= ARRAY_SIZE(trx_parts)) + pr_warn("No enough space to store another TRX found at 0x%X\n", +@@ -277,11 +279,23 @@ static int bcm47xxpart_parse(struct mtd_ + bcm47xxpart_add_part(&parts[curr_part++], "firmware", + offset, 0); + +- /* Jump to the end of TRX */ ++ /* ++ * Try to find TRX size. The "length" field isn't fully ++ * reliable as it could be decreased to make CRC32 cover ++ * only part of TRX data. It's commonly used as checksum ++ * can't cover e.g. ever-changing rootfs partition. ++ * Use offsets as helpers for assuming min TRX size. ++ */ + trx = (struct trx_header *)buf; +- offset = roundup(offset + trx->length, blocksize); +- /* Next loop iteration will increase the offset */ +- offset -= blocksize; ++ last_subpart = max3(trx->offset[0], trx->offset[1], ++ trx->offset[2]); ++ trx_size = max(trx->length, last_subpart + blocksize); ++ ++ /* ++ * Skip the TRX data. Decrease offset by block size as ++ * the next loop iteration will increase it. ++ */ ++ offset += roundup(trx_size, blocksize) - blocksize; + continue; + } + diff --git a/target/linux/generic/patches-4.4/141-mtd-bcm47xxpart-improve-handling-TRX-partition-size.patch b/target/linux/generic/patches-4.4/141-mtd-bcm47xxpart-improve-handling-TRX-partition-size.patch deleted file mode 100644 index 31acebf50f..0000000000 --- a/target/linux/generic/patches-4.4/141-mtd-bcm47xxpart-improve-handling-TRX-partition-size.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= -Subject: [PATCH] mtd: bcm47xxpart: improve handling TRX partition size -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When bcm47xxpart finds a TRX partition (container) it's supposed to jump -to the end of it and keep looking for more partitions. TRX and its -subpartitions are handled be a separated parser. - -The problem with old code was relying on the length specified in a TRX -header. That isn't reliable as TRX is commonly modified to have checksum -cover only non-changing subpartitions. Otherwise modifying e.g. a rootfs -would result in CRC32 mismatch and bootloader refusing to boot a -firmware. - -Fix it by trying better to figure out a real TRX size. We can securely -assume that TRX has to cover all subpartitions and the last one is at -least of a block size in size. Then compare it with a length field. - -This makes code more optimal & reliable thanks to skipping data that -shouldn't be parsed. - -Signed-off-by: Rafał Miłecki ---- - ---- a/drivers/mtd/bcm47xxpart.c -+++ b/drivers/mtd/bcm47xxpart.c -@@ -268,6 +268,8 @@ static int bcm47xxpart_parse(struct mtd_ - /* TRX */ - if (buf[0x000 / 4] == TRX_MAGIC) { - struct trx_header *trx; -+ uint32_t last_subpart; -+ uint32_t trx_size; - - if (trx_num >= ARRAY_SIZE(trx_parts)) - pr_warn("No enough space to store another TRX found at 0x%X\n", -@@ -277,11 +279,23 @@ static int bcm47xxpart_parse(struct mtd_ - bcm47xxpart_add_part(&parts[curr_part++], "firmware", - offset, 0); - -- /* Jump to the end of TRX */ -+ /* -+ * Try to find TRX size. The "length" field isn't fully -+ * reliable as it could be decreased to make CRC32 cover -+ * only part of TRX data. It's commonly used as checksum -+ * can't cover e.g. ever-changing rootfs partition. -+ * Use offsets as helpers for assuming min TRX size. -+ */ - trx = (struct trx_header *)buf; -- offset = roundup(offset + trx->length, blocksize); -- /* Next loop iteration will increase the offset */ -- offset -= blocksize; -+ last_subpart = max3(trx->offset[0], trx->offset[1], -+ trx->offset[2]); -+ trx_size = max(trx->length, last_subpart + blocksize); -+ -+ /* -+ * Skip the TRX data. Decrease offset by block size as -+ * the next loop iteration will increase it. -+ */ -+ offset += roundup(trx_size, blocksize) - blocksize; - continue; - } -