1 // SPDX-License-Identifier: 0BSD 2 3 /* 4 * Wrapper for decompressing XZ-compressed kernel, initramfs, and initrd 5 * 6 * Author: Lasse Collin <lasse.collin@tukaani.org> 7 */ 8 9 /* 10 * Important notes about in-place decompression 11 * 12 * At least on x86, the kernel is decompressed in place: the compressed data 13 * is placed to the end of the output buffer, and the decompressor overwrites 14 * most of the compressed data. There must be enough safety margin to 15 * guarantee that the write position is always behind the read position. 16 * 17 * The safety margin for XZ with LZMA2 or BCJ+LZMA2 is calculated below. 18 * Note that the margin with XZ is bigger than with Deflate (gzip)! 19 * 20 * The worst case for in-place decompression is that the beginning of 21 * the file is compressed extremely well, and the rest of the file is 22 * incompressible. Thus, we must look for worst-case expansion when the 23 * compressor is encoding incompressible data. 24 * 25 * The structure of the .xz file in case of a compressed kernel is as follows. 26 * Sizes (as bytes) of the fields are in parenthesis. 27 * 28 * Stream Header (12) 29 * Block Header: 30 * Block Header (8-12) 31 * Compressed Data (N) 32 * Block Padding (0-3) 33 * CRC32 (4) 34 * Index (8-20) 35 * Stream Footer (12) 36 * 37 * Normally there is exactly one Block, but let's assume that there are 38 * 2-4 Blocks just in case. Because Stream Header and also Block Header 39 * of the first Block don't make the decompressor produce any uncompressed 40 * data, we can ignore them from our calculations. Block Headers of possible 41 * additional Blocks have to be taken into account still. With these 42 * assumptions, it is safe to assume that the total header overhead is 43 * less than 128 bytes. 44 * 45 * Compressed Data contains LZMA2 or BCJ+LZMA2 encoded data. Since BCJ 46 * doesn't change the size of the data, it is enough to calculate the 47 * safety margin for LZMA2. 48 * 49 * LZMA2 stores the data in chunks. Each chunk has a header whose size is 50 * a maximum of 6 bytes, but to get round 2^n numbers, let's assume that 51 * the maximum chunk header size is 8 bytes. After the chunk header, there 52 * may be up to 64 KiB of actual payload in the chunk. Often the payload is 53 * quite a bit smaller though; to be safe, let's assume that an average 54 * chunk has only 32 KiB of payload. 55 * 56 * The maximum uncompressed size of the payload is 2 MiB. The minimum 57 * uncompressed size of the payload is in practice never less than the 58 * payload size itself. The LZMA2 format would allow uncompressed size 59 * to be less than the payload size, but no sane compressor creates such 60 * files. LZMA2 supports storing incompressible data in uncompressed form, 61 * so there's never a need to create payloads whose uncompressed size is 62 * smaller than the compressed size. 63 * 64 * The assumption, that the uncompressed size of the payload is never 65 * smaller than the payload itself, is valid only when talking about 66 * the payload as a whole. It is possible that the payload has parts where 67 * the decompressor consumes more input than it produces output. Calculating 68 * the worst case for this would be tricky. Instead of trying to do that, 69 * let's simply make sure that the decompressor never overwrites any bytes 70 * of the payload which it is currently reading. 71 * 72 * Now we have enough information to calculate the safety margin. We need 73 * - 128 bytes for the .xz file format headers; 74 * - 8 bytes per every 32 KiB of uncompressed size (one LZMA2 chunk header 75 * per chunk, each chunk having average payload size of 32 KiB); and 76 * - 64 KiB (biggest possible LZMA2 chunk payload size) to make sure that 77 * the decompressor never overwrites anything from the LZMA2 chunk 78 * payload it is currently reading. 79 * 80 * We get the following formula: 81 * 82 * safety_margin = 128 + uncompressed_size * 8 / 32768 + 65536 83 * = 128 + (uncompressed_size >> 12) + 65536 84 * 85 * For comparison, according to arch/x86/boot/compressed/misc.c, the 86 * equivalent formula for Deflate is this: 87 * 88 * safety_margin = 18 + (uncompressed_size >> 12) + 32768 89 * 90 * Thus, when updating Deflate-only in-place kernel decompressor to 91 * support XZ, the fixed overhead has to be increased from 18+32768 bytes 92 * to 128+65536 bytes. 93 */ 94 95 /* 96 * STATIC is defined to "static" if we are being built for kernel 97 * decompression (pre-boot code). <linux/decompress/mm.h> will define 98 * STATIC to empty if it wasn't already defined. Since we will need to 99 * know later if we are being used for kernel decompression, we define 100 * XZ_PREBOOT here. 101 */ 102 #ifdef STATIC 103 # define XZ_PREBOOT 104 #else 105 # include <linux/decompress/unxz.h> 106 #endif 107 #ifdef __KERNEL__ 108 # include <linux/decompress/mm.h> 109 #endif 110 111 #ifndef XZ_PREBOOT 112 # include <linux/slab.h> 113 # include <linux/xz.h> 114 #else 115 /* 116 * Use the internal CRC32 code instead of kernel's CRC32 module, which 117 * is not available in early phase of booting. 118 */ 119 #define XZ_INTERNAL_CRC32 1 120 121 /* 122 * For boot time use, we enable only the BCJ filter of the current 123 * architecture or none if no BCJ filter is available for the architecture. 124 */ 125 #ifdef CONFIG_X86 126 # define XZ_DEC_X86 127 #endif 128 #if defined(CONFIG_PPC) && defined(CONFIG_CPU_BIG_ENDIAN) 129 # define XZ_DEC_POWERPC 130 #endif 131 #ifdef CONFIG_ARM 132 # ifdef CONFIG_THUMB2_KERNEL 133 # define XZ_DEC_ARMTHUMB 134 # else 135 # define XZ_DEC_ARM 136 # endif 137 #endif 138 #ifdef CONFIG_ARM64 139 # define XZ_DEC_ARM64 140 #endif 141 #ifdef CONFIG_RISCV 142 # define XZ_DEC_RISCV 143 #endif 144 #ifdef CONFIG_SPARC 145 # define XZ_DEC_SPARC 146 #endif 147 148 /* 149 * This will get the basic headers so that memeq() and others 150 * can be defined. 151 */ 152 #include "xz/xz_private.h" 153 154 /* 155 * Replace the normal allocation functions with the versions from 156 * <linux/decompress/mm.h>. vfree() needs to support vfree(NULL) 157 * when XZ_DYNALLOC is used, but the pre-boot free() doesn't support it. 158 * Workaround it here because the other decompressors don't need it. 159 */ 160 #undef kmalloc 161 #undef kfree 162 #undef vmalloc 163 #undef vfree 164 #define kmalloc(size, flags) malloc(size) 165 #define kfree(ptr) free(ptr) 166 #define vmalloc(size) malloc(size) 167 #define vfree(ptr) do { if (ptr != NULL) free(ptr); } while (0) 168 169 /* 170 * FIXME: Not all basic memory functions are provided in architecture-specific 171 * files (yet). We define our own versions here for now, but this should be 172 * only a temporary solution. 173 * 174 * memeq and memzero are not used much and any remotely sane implementation 175 * is fast enough. memcpy/memmove speed matters in multi-call mode, but 176 * the kernel image is decompressed in single-call mode, in which only 177 * memmove speed can matter and only if there is a lot of incompressible data 178 * (LZMA2 stores incompressible chunks in uncompressed form). Thus, the 179 * functions below should just be kept small; it's probably not worth 180 * optimizing for speed. 181 */ 182 183 #ifndef memeq 184 static bool memeq(const void *a, const void *b, size_t size) 185 { 186 const uint8_t *x = a; 187 const uint8_t *y = b; 188 size_t i; 189 190 for (i = 0; i < size; ++i) 191 if (x[i] != y[i]) 192 return false; 193 194 return true; 195 } 196 #endif 197 198 #ifndef memzero 199 static void memzero(void *buf, size_t size) 200 { 201 uint8_t *b = buf; 202 uint8_t *e = b + size; 203 204 while (b != e) 205 *b++ = '\0'; 206 } 207 #endif 208 209 #ifndef memmove 210 /* Not static to avoid a conflict with the prototype in the Linux headers. */ 211 void *memmove(void *dest, const void *src, size_t size) 212 { 213 uint8_t *d = dest; 214 const uint8_t *s = src; 215 size_t i; 216 217 if (d < s) { 218 for (i = 0; i < size; ++i) 219 d[i] = s[i]; 220 } else if (d > s) { 221 i = size; 222 while (i-- > 0) 223 d[i] = s[i]; 224 } 225 226 return dest; 227 } 228 #endif 229 230 /* 231 * Since we need memmove anyway, we could use it as memcpy too. 232 * Commented out for now to avoid breaking things. 233 */ 234 /* 235 #ifndef memcpy 236 # define memcpy memmove 237 #endif 238 */ 239 240 #include "xz/xz_crc32.c" 241 #include "xz/xz_dec_stream.c" 242 #include "xz/xz_dec_lzma2.c" 243 #include "xz/xz_dec_bcj.c" 244 245 #endif /* XZ_PREBOOT */ 246 247 /* Size of the input and output buffers in multi-call mode */ 248 #define XZ_IOBUF_SIZE 4096 249 250 /* 251 * This function implements the API defined in <linux/decompress/generic.h>. 252 * 253 * This wrapper will automatically choose single-call or multi-call mode 254 * of the native XZ decoder API. The single-call mode can be used only when 255 * both input and output buffers are available as a single chunk, i.e. when 256 * fill() and flush() won't be used. 257 */ 258 STATIC int INIT unxz(unsigned char *in, long in_size, 259 long (*fill)(void *dest, unsigned long size), 260 long (*flush)(void *src, unsigned long size), 261 unsigned char *out, long *in_used, 262 void (*error)(char *x)) 263 { 264 struct xz_buf b; 265 struct xz_dec *s; 266 enum xz_ret ret; 267 bool must_free_in = false; 268 269 #if XZ_INTERNAL_CRC32 270 xz_crc32_init(); 271 #endif 272 273 if (in_used != NULL) 274 *in_used = 0; 275 276 if (fill == NULL && flush == NULL) 277 s = xz_dec_init(XZ_SINGLE, 0); 278 else 279 s = xz_dec_init(XZ_DYNALLOC, (uint32_t)-1); 280 281 if (s == NULL) 282 goto error_alloc_state; 283 284 if (flush == NULL) { 285 b.out = out; 286 b.out_size = (size_t)-1; 287 } else { 288 b.out_size = XZ_IOBUF_SIZE; 289 b.out = malloc(XZ_IOBUF_SIZE); 290 if (b.out == NULL) 291 goto error_alloc_out; 292 } 293 294 if (in == NULL) { 295 must_free_in = true; 296 in = malloc(XZ_IOBUF_SIZE); 297 if (in == NULL) 298 goto error_alloc_in; 299 } 300 301 b.in = in; 302 b.in_pos = 0; 303 b.in_size = in_size; 304 b.out_pos = 0; 305 306 if (fill == NULL && flush == NULL) { 307 ret = xz_dec_run(s, &b); 308 } else { 309 do { 310 if (b.in_pos == b.in_size && fill != NULL) { 311 if (in_used != NULL) 312 *in_used += b.in_pos; 313 314 b.in_pos = 0; 315 316 in_size = fill(in, XZ_IOBUF_SIZE); 317 if (in_size < 0) { 318 /* 319 * This isn't an optimal error code 320 * but it probably isn't worth making 321 * a new one either. 322 */ 323 ret = XZ_BUF_ERROR; 324 break; 325 } 326 327 b.in_size = in_size; 328 } 329 330 ret = xz_dec_run(s, &b); 331 332 if (flush != NULL && (b.out_pos == b.out_size 333 || (ret != XZ_OK && b.out_pos > 0))) { 334 /* 335 * Setting ret here may hide an error 336 * returned by xz_dec_run(), but probably 337 * it's not too bad. 338 */ 339 if (flush(b.out, b.out_pos) != (long)b.out_pos) 340 ret = XZ_BUF_ERROR; 341 342 b.out_pos = 0; 343 } 344 } while (ret == XZ_OK); 345 346 if (must_free_in) 347 free(in); 348 349 if (flush != NULL) 350 free(b.out); 351 } 352 353 if (in_used != NULL) 354 *in_used += b.in_pos; 355 356 xz_dec_end(s); 357 358 switch (ret) { 359 case XZ_STREAM_END: 360 return 0; 361 362 case XZ_MEM_ERROR: 363 /* This can occur only in multi-call mode. */ 364 error("XZ decompressor ran out of memory"); 365 break; 366 367 case XZ_FORMAT_ERROR: 368 error("Input is not in the XZ format (wrong magic bytes)"); 369 break; 370 371 case XZ_OPTIONS_ERROR: 372 error("Input was encoded with settings that are not " 373 "supported by this XZ decoder"); 374 break; 375 376 case XZ_DATA_ERROR: 377 case XZ_BUF_ERROR: 378 error("XZ-compressed data is corrupt"); 379 break; 380 381 default: 382 error("Bug in the XZ decompressor"); 383 break; 384 } 385 386 return -1; 387 388 error_alloc_in: 389 if (flush != NULL) 390 free(b.out); 391 392 error_alloc_out: 393 xz_dec_end(s); 394 395 error_alloc_state: 396 error("XZ decompressor ran out of memory"); 397 return -1; 398 } 399 400 /* 401 * This function is used by architecture-specific files to decompress 402 * the kernel image. 403 */ 404 #ifdef XZ_PREBOOT 405 STATIC int INIT __decompress(unsigned char *in, long in_size, 406 long (*fill)(void *dest, unsigned long size), 407 long (*flush)(void *src, unsigned long size), 408 unsigned char *out, long out_size, 409 long *in_used, 410 void (*error)(char *x)) 411 { 412 return unxz(in, in_size, fill, flush, out, in_used, error); 413 } 414 #endif 415