[PATCH] ignore huge OF properties

Julie DeWandel jdewand at redhat.com
Thu Mar 25 01:20:27 EST 2004 

Hello Anton,

Anton Blanchard wrote:

>>In addition to the patch you provided, it is also necessary to ensure
>>that the initrd image cannot be overwritten by calls into prom such as:
>>
>>	pp->length = (int)(long) call_prom(RELOC("getprop"), 4, 1, node,
>>					   namep,valp, mem_end - mem_start);
>>
>>
>>Here, mem_end needs to have been carefully chosen so that it doesn't
>>start somewhere in the middle of the initrd image or past it. However,
>>mem_end is arbitrarily chosen by copy_device_node to be 8MB beyond the
>>starting mem_start value. In code I have been working with, mem_end has
>>landed well into the initrd memory image.
>>
>>The attached patch corrects this problem for the 2.6 ameslab tree.
>>Please consider pushing it to ameslab, as I don't know how to do that.
>>
>>
>
>I think we should be checking further down in inspect_node as well. Also
>we should rethink that 8MB limit, on our big machines we might have
>device trees bigger than that.
>
>Anton
>

I agree that we may want to reconsider the 8 MB limit, but please push
the patch I suggested as that is required for linux to boot on one of
the machines we have. Without it, the system crashes because the initrd
image gets overwritten with zeros.

The real problem on our machine wasn't the 8 MB limit since the
resultant device tree (once the errant properties are discarded) is only
about 1 MB. The 8 MB limit was an issue only because it was beyond the
start of the initrd image in memory. And when this size was specified to
the firmware as being legitimate memory to use, the firmware used it all
because it encountered a property whose length was nearly 17MB. The code
in inspect_node() doesn't know ahead of time how big a property is -- it
only finds out after it has asked for and received it. By then it is too
late if the memory size passed to the firmware initially was incorrect.

I have attached an updated patch against 2.6 which checks for an
overflow after the device tree is built. I added the check in
copy_device_tree(), rather than in inspect_node(), since the end result
of an overflow is to abandon ship. Hopefully this adequately addresses
the issue you raised. Comments are welcome.

Regards,
Julie

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: initrd_overwrite_fix
Url: http://ozlabs.org/pipermail/linuxppc64-dev/attachments/20040324/7b516ab0/attachment.txt

More information about the Linuxppc64-dev mailing list