1 // SPDX-License-Identifier: 0BSD
2
3 /*
4 * Wrapper for decompressing XZ-compressed kernel, initramfs, and initrd
5 *
6 * Author: Lasse Collin <[email protected]>
7 */
8
9 /*
10 * Important notes about in-place decompression
11 *
12 * At least on x86, the kernel is decompressed in place: the compressed data
13 * is placed to the end of the output buffer, and the decompressor overwrites
14 * most of the compressed data. There must be enough safety margin to
15 * guarantee that the write position is always behind the read position.
16 *
17 * The safety margin for XZ with LZMA2 or BCJ+LZMA2 is calculated below.
18 * Note that the margin with XZ is bigger than with Deflate (gzip)!
19 *
20 * The worst case for in-place decompression is that the beginning of
21 * the file is compressed extremely well, and the rest of the file is
22 * incompressible. Thus, we must look for worst-case expansion when the
23 * compressor is encoding incompressible data.
24 *
25 * The structure of the .xz file in case of a compressed kernel is as follows.
26 * Sizes (as bytes) of the fields are in parenthesis.
27 *
28 * Stream Header (12)
29 * Block Header:
30 * Block Header (8-12)
31 * Compressed Data (N)
32 * Block Padding (0-3)
33 * CRC32 (4)
34 * Index (8-20)
35 * Stream Footer (12)
36 *
37 * Normally there is exactly one Block, but let's assume that there are
38 * 2-4 Blocks just in case. Because Stream Header and also Block Header
39 * of the first Block don't make the decompressor produce any uncompressed
40 * data, we can ignore them from our calculations. Block Headers of possible
41 * additional Blocks have to be taken into account still. With these
42 * assumptions, it is safe to assume that the total header overhead is
43 * less than 128 bytes.
44 *
45 * Compressed Data contains LZMA2 or BCJ+LZMA2 encoded data. Since BCJ
46 * doesn't change the size of the data, it is enough to calculate the
47 * safety margin for LZMA2.
48 *
49 * LZMA2 stores the data in chunks. Each chunk has a header whose size is
50 * a maximum of 6 bytes, but to get round 2^n numbers, let's assume that
51 * the maximum chunk header size is 8 bytes. After the chunk header, there
52 * may be up to 64 KiB of actual payload in the chunk. Often the payload is
53 * quite a bit smaller though; to be safe, let's assume that an average
54 * chunk has only 32 KiB of payload.
55 *
56 * The maximum uncompressed size of the payload is 2 MiB. The minimum
57 * uncompressed size of the payload is in practice never less than the
58 * payload size itself. The LZMA2 format would allow uncompressed size
59 * to be less than the payload size, but no sane compressor creates such
60 * files. LZMA2 supports storing incompressible data in uncompressed form,
61 * so there's never a need to create payloads whose uncompressed size is
62 * smaller than the compressed size.
63 *
64 * The assumption, that the uncompressed size of the payload is never
65 * smaller than the payload itself, is valid only when talking about
66 * the payload as a whole. It is possible that the payload has parts where
67 * the decompressor consumes more input than it produces output. Calculating
68 * the worst case for this would be tricky. Instead of trying to do that,
69 * let's simply make sure that the decompressor never overwrites any bytes
70 * of the payload which it is currently reading.
71 *
72 * Now we have enough information to calculate the safety margin. We need
73 * - 128 bytes for the .xz file format headers;
74 * - 8 bytes per every 32 KiB of uncompressed size (one LZMA2 chunk header
75 * per chunk, each chunk having average payload size of 32 KiB); and
76 * - 64 KiB (biggest possible LZMA2 chunk payload size) to make sure that
77 * the decompressor never overwrites anything from the LZMA2 chunk
78 * payload it is currently reading.
79 *
80 * We get the following formula:
81 *
82 * safety_margin = 128 + uncompressed_size * 8 / 32768 + 65536
83 * = 128 + (uncompressed_size >> 12) + 65536
84 *
85 * For comparison, according to arch/x86/boot/compressed/misc.c, the
86 * equivalent formula for Deflate is this:
87 *
88 * safety_margin = 18 + (uncompressed_size >> 12) + 32768
89 *
90 * Thus, when updating Deflate-only in-place kernel decompressor to
91 * support XZ, the fixed overhead has to be increased from 18+32768 bytes
92 * to 128+65536 bytes.
93 */
94
95 /*
96 * STATIC is defined to "static" if we are being built for kernel
97 * decompression (pre-boot code). <linux/decompress/mm.h> will define
98 * STATIC to empty if it wasn't already defined. Since we will need to
99 * know later if we are being used for kernel decompression, we define
100 * XZ_PREBOOT here.
101 */
102 #ifdef STATIC
103 # define XZ_PREBOOT
104 #else
105 # include <linux/decompress/unxz.h>
106 #endif
107 #ifdef __KERNEL__
108 # include <linux/decompress/mm.h>
109 #endif
110 #define XZ_EXTERN STATIC
111
112 #ifndef XZ_PREBOOT
113 # include <linux/slab.h>
114 # include <linux/xz.h>
115 #else
116 /*
117 * Use the internal CRC32 code instead of kernel's CRC32 module, which
118 * is not available in early phase of booting.
119 */
120 #define XZ_INTERNAL_CRC32 1
121
122 /*
123 * For boot time use, we enable only the BCJ filter of the current
124 * architecture or none if no BCJ filter is available for the architecture.
125 */
126 #ifdef CONFIG_X86
127 # define XZ_DEC_X86
128 #endif
129 #if defined(CONFIG_PPC) && defined(CONFIG_CPU_BIG_ENDIAN)
130 # define XZ_DEC_POWERPC
131 #endif
132 #ifdef CONFIG_ARM
133 # ifdef CONFIG_THUMB2_KERNEL
134 # define XZ_DEC_ARMTHUMB
135 # else
136 # define XZ_DEC_ARM
137 # endif
138 #endif
139 #ifdef CONFIG_ARM64
140 # define XZ_DEC_ARM64
141 #endif
142 #ifdef CONFIG_RISCV
143 # define XZ_DEC_RISCV
144 #endif
145 #ifdef CONFIG_SPARC
146 # define XZ_DEC_SPARC
147 #endif
148
149 /*
150 * This will get the basic headers so that memeq() and others
151 * can be defined.
152 */
153 #include "xz/xz_private.h"
154
155 /*
156 * Replace the normal allocation functions with the versions from
157 * <linux/decompress/mm.h>. vfree() needs to support vfree(NULL)
158 * when XZ_DYNALLOC is used, but the pre-boot free() doesn't support it.
159 * Workaround it here because the other decompressors don't need it.
160 */
161 #undef kmalloc
162 #undef kfree
163 #undef vmalloc
164 #undef vfree
165 #define kmalloc(size, flags) malloc(size)
166 #define kfree(ptr) free(ptr)
167 #define vmalloc(size) malloc(size)
168 #define vfree(ptr) do { if (ptr != NULL) free(ptr); } while (0)
169
170 /*
171 * FIXME: Not all basic memory functions are provided in architecture-specific
172 * files (yet). We define our own versions here for now, but this should be
173 * only a temporary solution.
174 *
175 * memeq and memzero are not used much and any remotely sane implementation
176 * is fast enough. memcpy/memmove speed matters in multi-call mode, but
177 * the kernel image is decompressed in single-call mode, in which only
178 * memmove speed can matter and only if there is a lot of incompressible data
179 * (LZMA2 stores incompressible chunks in uncompressed form). Thus, the
180 * functions below should just be kept small; it's probably not worth
181 * optimizing for speed.
182 */
183
184 #ifndef memeq
memeq(const void * a,const void * b,size_t size)185 static bool memeq(const void *a, const void *b, size_t size)
186 {
187 const uint8_t *x = a;
188 const uint8_t *y = b;
189 size_t i;
190
191 for (i = 0; i < size; ++i)
192 if (x[i] != y[i])
193 return false;
194
195 return true;
196 }
197 #endif
198
199 #ifndef memzero
memzero(void * buf,size_t size)200 static void memzero(void *buf, size_t size)
201 {
202 uint8_t *b = buf;
203 uint8_t *e = b + size;
204
205 while (b != e)
206 *b++ = '\0';
207 }
208 #endif
209
210 #ifndef memmove
211 /* Not static to avoid a conflict with the prototype in the Linux headers. */
memmove(void * dest,const void * src,size_t size)212 void *memmove(void *dest, const void *src, size_t size)
213 {
214 uint8_t *d = dest;
215 const uint8_t *s = src;
216 size_t i;
217
218 if (d < s) {
219 for (i = 0; i < size; ++i)
220 d[i] = s[i];
221 } else if (d > s) {
222 i = size;
223 while (i-- > 0)
224 d[i] = s[i];
225 }
226
227 return dest;
228 }
229 #endif
230
231 /*
232 * Since we need memmove anyway, we could use it as memcpy too.
233 * Commented out for now to avoid breaking things.
234 */
235 /*
236 #ifndef memcpy
237 # define memcpy memmove
238 #endif
239 */
240
241 #include "xz/xz_crc32.c"
242 #include "xz/xz_dec_stream.c"
243 #include "xz/xz_dec_lzma2.c"
244 #include "xz/xz_dec_bcj.c"
245
246 #endif /* XZ_PREBOOT */
247
248 /* Size of the input and output buffers in multi-call mode */
249 #define XZ_IOBUF_SIZE 4096
250
251 /*
252 * This function implements the API defined in <linux/decompress/generic.h>.
253 *
254 * This wrapper will automatically choose single-call or multi-call mode
255 * of the native XZ decoder API. The single-call mode can be used only when
256 * both input and output buffers are available as a single chunk, i.e. when
257 * fill() and flush() won't be used.
258 */
unxz(unsigned char * in,long in_size,long (* fill)(void * dest,unsigned long size),long (* flush)(void * src,unsigned long size),unsigned char * out,long * in_used,void (* error)(char * x))259 STATIC int INIT unxz(unsigned char *in, long in_size,
260 long (*fill)(void *dest, unsigned long size),
261 long (*flush)(void *src, unsigned long size),
262 unsigned char *out, long *in_used,
263 void (*error)(char *x))
264 {
265 struct xz_buf b;
266 struct xz_dec *s;
267 enum xz_ret ret;
268 bool must_free_in = false;
269
270 #if XZ_INTERNAL_CRC32
271 xz_crc32_init();
272 #endif
273
274 if (in_used != NULL)
275 *in_used = 0;
276
277 if (fill == NULL && flush == NULL)
278 s = xz_dec_init(XZ_SINGLE, 0);
279 else
280 s = xz_dec_init(XZ_DYNALLOC, (uint32_t)-1);
281
282 if (s == NULL)
283 goto error_alloc_state;
284
285 if (flush == NULL) {
286 b.out = out;
287 b.out_size = (size_t)-1;
288 } else {
289 b.out_size = XZ_IOBUF_SIZE;
290 b.out = malloc(XZ_IOBUF_SIZE);
291 if (b.out == NULL)
292 goto error_alloc_out;
293 }
294
295 if (in == NULL) {
296 must_free_in = true;
297 in = malloc(XZ_IOBUF_SIZE);
298 if (in == NULL)
299 goto error_alloc_in;
300 }
301
302 b.in = in;
303 b.in_pos = 0;
304 b.in_size = in_size;
305 b.out_pos = 0;
306
307 if (fill == NULL && flush == NULL) {
308 ret = xz_dec_run(s, &b);
309 } else {
310 do {
311 if (b.in_pos == b.in_size && fill != NULL) {
312 if (in_used != NULL)
313 *in_used += b.in_pos;
314
315 b.in_pos = 0;
316
317 in_size = fill(in, XZ_IOBUF_SIZE);
318 if (in_size < 0) {
319 /*
320 * This isn't an optimal error code
321 * but it probably isn't worth making
322 * a new one either.
323 */
324 ret = XZ_BUF_ERROR;
325 break;
326 }
327
328 b.in_size = in_size;
329 }
330
331 ret = xz_dec_run(s, &b);
332
333 if (flush != NULL && (b.out_pos == b.out_size
334 || (ret != XZ_OK && b.out_pos > 0))) {
335 /*
336 * Setting ret here may hide an error
337 * returned by xz_dec_run(), but probably
338 * it's not too bad.
339 */
340 if (flush(b.out, b.out_pos) != (long)b.out_pos)
341 ret = XZ_BUF_ERROR;
342
343 b.out_pos = 0;
344 }
345 } while (ret == XZ_OK);
346
347 if (must_free_in)
348 free(in);
349
350 if (flush != NULL)
351 free(b.out);
352 }
353
354 if (in_used != NULL)
355 *in_used += b.in_pos;
356
357 xz_dec_end(s);
358
359 switch (ret) {
360 case XZ_STREAM_END:
361 return 0;
362
363 case XZ_MEM_ERROR:
364 /* This can occur only in multi-call mode. */
365 error("XZ decompressor ran out of memory");
366 break;
367
368 case XZ_FORMAT_ERROR:
369 error("Input is not in the XZ format (wrong magic bytes)");
370 break;
371
372 case XZ_OPTIONS_ERROR:
373 error("Input was encoded with settings that are not "
374 "supported by this XZ decoder");
375 break;
376
377 case XZ_DATA_ERROR:
378 case XZ_BUF_ERROR:
379 error("XZ-compressed data is corrupt");
380 break;
381
382 default:
383 error("Bug in the XZ decompressor");
384 break;
385 }
386
387 return -1;
388
389 error_alloc_in:
390 if (flush != NULL)
391 free(b.out);
392
393 error_alloc_out:
394 xz_dec_end(s);
395
396 error_alloc_state:
397 error("XZ decompressor ran out of memory");
398 return -1;
399 }
400
401 /*
402 * This function is used by architecture-specific files to decompress
403 * the kernel image.
404 */
405 #ifdef XZ_PREBOOT
__decompress(unsigned char * in,long in_size,long (* fill)(void * dest,unsigned long size),long (* flush)(void * src,unsigned long size),unsigned char * out,long out_size,long * in_used,void (* error)(char * x))406 STATIC int INIT __decompress(unsigned char *in, long in_size,
407 long (*fill)(void *dest, unsigned long size),
408 long (*flush)(void *src, unsigned long size),
409 unsigned char *out, long out_size,
410 long *in_used,
411 void (*error)(char *x))
412 {
413 return unxz(in, in_size, fill, flush, out, in_used, error);
414 }
415 #endif
416