1 /*
2 * Wrapper for decompressing XZ-compressed kernel, initramfs, and initrd
3 *
4 * Author: Lasse Collin <lasse.collin@tukaani.org>
5 *
6 * This file has been put into the public domain.
7 * You can do whatever you want with this file.
8 */
9
10 /*
11 * Important notes about in-place decompression
12 *
13 * At least on x86, the kernel is decompressed in place: the compressed data
14 * is placed to the end of the output buffer, and the decompressor overwrites
15 * most of the compressed data. There must be enough safety margin to
16 * guarantee that the write position is always behind the read position.
17 *
18 * The safety margin for XZ with LZMA2 or BCJ+LZMA2 is calculated below.
19 * Note that the margin with XZ is bigger than with Deflate (gzip)!
20 *
21 * The worst case for in-place decompression is that the beginning of
22 * the file is compressed extremely well, and the rest of the file is
23 * uncompressible. Thus, we must look for worst-case expansion when the
24 * compressor is encoding uncompressible data.
25 *
26 * The structure of the .xz file in case of a compresed kernel is as follows.
27 * Sizes (as bytes) of the fields are in parenthesis.
28 *
29 * Stream Header (12)
30 * Block Header:
31 * Block Header (8-12)
32 * Compressed Data (N)
33 * Block Padding (0-3)
34 * CRC32 (4)
35 * Index (8-20)
36 * Stream Footer (12)
37 *
38 * Normally there is exactly one Block, but let's assume that there are
39 * 2-4 Blocks just in case. Because Stream Header and also Block Header
40 * of the first Block don't make the decompressor produce any uncompressed
41 * data, we can ignore them from our calculations. Block Headers of possible
42 * additional Blocks have to be taken into account still. With these
43 * assumptions, it is safe to assume that the total header overhead is
44 * less than 128 bytes.
45 *
46 * Compressed Data contains LZMA2 or BCJ+LZMA2 encoded data. Since BCJ
47 * doesn't change the size of the data, it is enough to calculate the
48 * safety margin for LZMA2.
49 *
50 * LZMA2 stores the data in chunks. Each chunk has a header whose size is
51 * a maximum of 6 bytes, but to get round 2^n numbers, let's assume that
52 * the maximum chunk header size is 8 bytes. After the chunk header, there
53 * may be up to 64 KiB of actual payload in the chunk. Often the payload is
54 * quite a bit smaller though; to be safe, let's assume that an average
55 * chunk has only 32 KiB of payload.
56 *
57 * The maximum uncompressed size of the payload is 2 MiB. The minimum
58 * uncompressed size of the payload is in practice never less than the
59 * payload size itself. The LZMA2 format would allow uncompressed size
60 * to be less than the payload size, but no sane compressor creates such
61 * files. LZMA2 supports storing uncompressible data in uncompressed form,
62 * so there's never a need to create payloads whose uncompressed size is
63 * smaller than the compressed size.
64 *
65 * The assumption, that the uncompressed size of the payload is never
66 * smaller than the payload itself, is valid only when talking about
67 * the payload as a whole. It is possible that the payload has parts where
68 * the decompressor consumes more input than it produces output. Calculating
69 * the worst case for this would be tricky. Instead of trying to do that,
70 * let's simply make sure that the decompressor never overwrites any bytes
71 * of the payload which it is currently reading.
72 *
73 * Now we have enough information to calculate the safety margin. We need
74 * - 128 bytes for the .xz file format headers;
75 * - 8 bytes per every 32 KiB of uncompressed size (one LZMA2 chunk header
76 * per chunk, each chunk having average payload size of 32 KiB); and
77 * - 64 KiB (biggest possible LZMA2 chunk payload size) to make sure that
78 * the decompressor never overwrites anything from the LZMA2 chunk
79 * payload it is currently reading.
80 *
81 * We get the following formula:
82 *
83 * safety_margin = 128 + uncompressed_size * 8 / 32768 + 65536
84 * = 128 + (uncompressed_size >> 12) + 65536
85 *
86 * For comparison, according to arch/x86/boot/compressed/misc.c, the
87 * equivalent formula for Deflate is this:
88 *
89 * safety_margin = 18 + (uncompressed_size >> 12) + 32768
90 *
91 * Thus, when updating Deflate-only in-place kernel decompressor to
92 * support XZ, the fixed overhead has to be increased from 18+32768 bytes
93 * to 128+65536 bytes.
94 */
95
96 /*
97 * STATIC is defined to "static" if we are being built for kernel
98 * decompression (pre-boot code). <linux/decompress/mm.h> will define
99 * STATIC to empty if it wasn't already defined. Since we will need to
100 * know later if we are being used for kernel decompression, we define
101 * XZ_PREBOOT here.
102 */
103 #ifdef STATIC
104 # define XZ_PREBOOT
105 #endif
106 #ifdef __KERNEL__
107 # include <linux/decompress/mm.h>
108 #endif
109 #define XZ_EXTERN STATIC
110
111 #ifndef XZ_PREBOOT
112 # include <linux/slab.h>
113 # include <linux/xz.h>
114 #else
115 /*
116 * Use the internal CRC32 code instead of kernel's CRC32 module, which
117 * is not available in early phase of booting.
118 */
119 #define XZ_INTERNAL_CRC32 1
120
121 /*
122 * For boot time use, we enable only the BCJ filter of the current
123 * architecture or none if no BCJ filter is available for the architecture.
124 */
125 #ifdef CONFIG_X86
126 # define XZ_DEC_X86
127 #endif
128 #ifdef CONFIG_PPC
129 # define XZ_DEC_POWERPC
130 #endif
131 #ifdef CONFIG_ARM
132 # ifdef CONFIG_THUMB2_KERNEL
133 # define XZ_DEC_ARMTHUMB
134 # else
135 # define XZ_DEC_ARM
136 # endif
137 #endif
138 #ifdef CONFIG_IA64
139 # define XZ_DEC_IA64
140 #endif
141 #ifdef CONFIG_SPARC
142 # define XZ_DEC_SPARC
143 #endif
144
145 /*
146 * This will get the basic headers so that memeq() and others
147 * can be defined.
148 */
149 #include "xz/xz_private.h"
150
151 /*
152 * Replace the normal allocation functions with the versions from
153 * <linux/decompress/mm.h>. vfree() needs to support vfree(NULL)
154 * when XZ_DYNALLOC is used, but the pre-boot free() doesn't support it.
155 * Workaround it here because the other decompressors don't need it.
156 */
157 #undef kmalloc
158 #undef kfree
159 #undef vmalloc
160 #undef vfree
161 #define kmalloc(size, flags) malloc(size)
162 #define kfree(ptr) free(ptr)
163 #define vmalloc(size) malloc(size)
164 #define vfree(ptr) do { if (ptr != NULL) free(ptr); } while (0)
165
166 /*
167 * FIXME: Not all basic memory functions are provided in architecture-specific
168 * files (yet). We define our own versions here for now, but this should be
169 * only a temporary solution.
170 *
171 * memeq and memzero are not used much and any remotely sane implementation
172 * is fast enough. memcpy/memmove speed matters in multi-call mode, but
173 * the kernel image is decompressed in single-call mode, in which only
174 * memmove speed can matter and only if there is a lot of uncompressible data
175 * (LZMA2 stores uncompressible chunks in uncompressed form). Thus, the
176 * functions below should just be kept small; it's probably not worth
177 * optimizing for speed.
178 */
179
180 #ifndef memeq
memeq(const void * a,const void * b,size_t size)181 static bool memeq(const void *a, const void *b, size_t size)
182 {
183 const uint8_t *x = a;
184 const uint8_t *y = b;
185 size_t i;
186
187 for (i = 0; i < size; ++i)
188 if (x[i] != y[i])
189 return false;
190
191 return true;
192 }
193 #endif
194
195 #ifndef memzero
memzero(void * buf,size_t size)196 static void memzero(void *buf, size_t size)
197 {
198 uint8_t *b = buf;
199 uint8_t *e = b + size;
200
201 while (b != e)
202 *b++ = '\0';
203 }
204 #endif
205
206 #ifndef memmove
207 /* Not static to avoid a conflict with the prototype in the Linux headers. */
memmove(void * dest,const void * src,size_t size)208 void *memmove(void *dest, const void *src, size_t size)
209 {
210 uint8_t *d = dest;
211 const uint8_t *s = src;
212 size_t i;
213
214 if (d < s) {
215 for (i = 0; i < size; ++i)
216 d[i] = s[i];
217 } else if (d > s) {
218 i = size;
219 while (i-- > 0)
220 d[i] = s[i];
221 }
222
223 return dest;
224 }
225 #endif
226
227 /*
228 * Since we need memmove anyway, would use it as memcpy too.
229 * Commented out for now to avoid breaking things.
230 */
231 /*
232 #ifndef memcpy
233 # define memcpy memmove
234 #endif
235 */
236
237 #include "xz/xz_crc32.c"
238 #include "xz/xz_dec_stream.c"
239 #include "xz/xz_dec_lzma2.c"
240 #include "xz/xz_dec_bcj.c"
241
242 #endif /* XZ_PREBOOT */
243
244 /* Size of the input and output buffers in multi-call mode */
245 #define XZ_IOBUF_SIZE 4096
246
247 /*
248 * This function implements the API defined in <linux/decompress/generic.h>.
249 *
250 * This wrapper will automatically choose single-call or multi-call mode
251 * of the native XZ decoder API. The single-call mode can be used only when
252 * both input and output buffers are available as a single chunk, i.e. when
253 * fill() and flush() won't be used.
254 */
unxz(unsigned char * in,long in_size,long (* fill)(void * dest,unsigned long size),long (* flush)(void * src,unsigned long size),unsigned char * out,long * in_used,void (* error)(char * x))255 STATIC int INIT unxz(unsigned char *in, long in_size,
256 long (*fill)(void *dest, unsigned long size),
257 long (*flush)(void *src, unsigned long size),
258 unsigned char *out, long *in_used,
259 void (*error)(char *x))
260 {
261 struct xz_buf b;
262 struct xz_dec *s;
263 enum xz_ret ret;
264 bool must_free_in = false;
265
266 #if XZ_INTERNAL_CRC32
267 xz_crc32_init();
268 #endif
269
270 if (in_used != NULL)
271 *in_used = 0;
272
273 if (fill == NULL && flush == NULL)
274 s = xz_dec_init(XZ_SINGLE, 0);
275 else
276 s = xz_dec_init(XZ_DYNALLOC, (uint32_t)-1);
277
278 if (s == NULL)
279 goto error_alloc_state;
280
281 if (flush == NULL) {
282 b.out = out;
283 b.out_size = (size_t)-1;
284 } else {
285 b.out_size = XZ_IOBUF_SIZE;
286 b.out = malloc(XZ_IOBUF_SIZE);
287 if (b.out == NULL)
288 goto error_alloc_out;
289 }
290
291 if (in == NULL) {
292 must_free_in = true;
293 in = malloc(XZ_IOBUF_SIZE);
294 if (in == NULL)
295 goto error_alloc_in;
296 }
297
298 b.in = in;
299 b.in_pos = 0;
300 b.in_size = in_size;
301 b.out_pos = 0;
302
303 if (fill == NULL && flush == NULL) {
304 ret = xz_dec_run(s, &b);
305 } else {
306 do {
307 if (b.in_pos == b.in_size && fill != NULL) {
308 if (in_used != NULL)
309 *in_used += b.in_pos;
310
311 b.in_pos = 0;
312
313 in_size = fill(in, XZ_IOBUF_SIZE);
314 if (in_size < 0) {
315 /*
316 * This isn't an optimal error code
317 * but it probably isn't worth making
318 * a new one either.
319 */
320 ret = XZ_BUF_ERROR;
321 break;
322 }
323
324 b.in_size = in_size;
325 }
326
327 ret = xz_dec_run(s, &b);
328
329 if (flush != NULL && (b.out_pos == b.out_size
330 || (ret != XZ_OK && b.out_pos > 0))) {
331 /*
332 * Setting ret here may hide an error
333 * returned by xz_dec_run(), but probably
334 * it's not too bad.
335 */
336 if (flush(b.out, b.out_pos) != (long)b.out_pos)
337 ret = XZ_BUF_ERROR;
338
339 b.out_pos = 0;
340 }
341 } while (ret == XZ_OK);
342
343 if (must_free_in)
344 free(in);
345
346 if (flush != NULL)
347 free(b.out);
348 }
349
350 if (in_used != NULL)
351 *in_used += b.in_pos;
352
353 xz_dec_end(s);
354
355 switch (ret) {
356 case XZ_STREAM_END:
357 return 0;
358
359 case XZ_MEM_ERROR:
360 /* This can occur only in multi-call mode. */
361 error("XZ decompressor ran out of memory");
362 break;
363
364 case XZ_FORMAT_ERROR:
365 error("Input is not in the XZ format (wrong magic bytes)");
366 break;
367
368 case XZ_OPTIONS_ERROR:
369 error("Input was encoded with settings that are not "
370 "supported by this XZ decoder");
371 break;
372
373 case XZ_DATA_ERROR:
374 case XZ_BUF_ERROR:
375 error("XZ-compressed data is corrupt");
376 break;
377
378 default:
379 error("Bug in the XZ decompressor");
380 break;
381 }
382
383 return -1;
384
385 error_alloc_in:
386 if (flush != NULL)
387 free(b.out);
388
389 error_alloc_out:
390 xz_dec_end(s);
391
392 error_alloc_state:
393 error("XZ decompressor ran out of memory");
394 return -1;
395 }
396
397 /*
398 * This macro is used by architecture-specific files to decompress
399 * the kernel image.
400 */
401 #ifdef XZ_PREBOOT
__decompress(unsigned char * buf,long len,long (* fill)(void *,unsigned long),long (* flush)(void *,unsigned long),unsigned char * out_buf,long olen,long * pos,void (* error)(char * x))402 STATIC int INIT __decompress(unsigned char *buf, long len,
403 long (*fill)(void*, unsigned long),
404 long (*flush)(void*, unsigned long),
405 unsigned char *out_buf, long olen,
406 long *pos,
407 void (*error)(char *x))
408 {
409 return unxz(buf, len, fill, flush, out_buf, pos, error);
410 }
411 #endif
412