lib/decompress_unxz.c

   1 /*
   2  * Wrapper for decompressing XZ-compressed kernel, initramfs, and initrd
   3  *
   4  * Author: Lasse Collin <lasse.collin@tukaani.org>
   5  *
   6  * This file has been put into the public domain.
   7  * You can do whatever you want with this file.
   8  */
   9
  10 /*
  11  * Important notes about in-place decompression
  12  *
  13  * At least on x86, the kernel is decompressed in place: the compressed data
  14  * is placed to the end of the output buffer, and the decompressor overwrites
  15  * most of the compressed data. There must be enough safety margin to
  16  * guarantee that the write position is always behind the read position.
  17  *
  18  * The safety margin for XZ with LZMA2 or BCJ+LZMA2 is calculated below.
  19  * Note that the margin with XZ is bigger than with Deflate (gzip)!
  20  *
  21  * The worst case for in-place decompression is that the beginning of
  22  * the file is compressed extremely well, and the rest of the file is
  23  * incompressible. Thus, we must look for worst-case expansion when the
  24  * compressor is encoding incompressible data.
  25  *
  26  * The structure of the .xz file in case of a compressed kernel is as follows.
  27  * Sizes (as bytes) of the fields are in parenthesis.
  28  *
  29  *    Stream Header (12)
  30  *    Block Header:
  31  *      Block Header (8-12)
  32  *      Compressed Data (N)
  33  *      Block Padding (0-3)
  34  *      CRC32 (4)
  35  *    Index (8-20)
  36  *    Stream Footer (12)
  37  *
  38  * Normally there is exactly one Block, but let's assume that there are
  39  * 2-4 Blocks just in case. Because Stream Header and also Block Header
  40  * of the first Block don't make the decompressor produce any uncompressed
  41  * data, we can ignore them from our calculations. Block Headers of possible
  42  * additional Blocks have to be taken into account still. With these
  43  * assumptions, it is safe to assume that the total header overhead is
  44  * less than 128 bytes.
  45  *
  46  * Compressed Data contains LZMA2 or BCJ+LZMA2 encoded data. Since BCJ
  47  * doesn't change the size of the data, it is enough to calculate the
  48  * safety margin for LZMA2.
  49  *
  50  * LZMA2 stores the data in chunks. Each chunk has a header whose size is
  51  * a maximum of 6 bytes, but to get round 2^n numbers, let's assume that
  52  * the maximum chunk header size is 8 bytes. After the chunk header, there
  53  * may be up to 64 KiB of actual payload in the chunk. Often the payload is
  54  * quite a bit smaller though; to be safe, let's assume that an average
  55  * chunk has only 32 KiB of payload.
  56  *
  57  * The maximum uncompressed size of the payload is 2 MiB. The minimum
  58  * uncompressed size of the payload is in practice never less than the
  59  * payload size itself. The LZMA2 format would allow uncompressed size
  60  * to be less than the payload size, but no sane compressor creates such
  61  * files. LZMA2 supports storing incompressible data in uncompressed form,
  62  * so there's never a need to create payloads whose uncompressed size is
  63  * smaller than the compressed size.
  64  *
  65  * The assumption, that the uncompressed size of the payload is never
  66  * smaller than the payload itself, is valid only when talking about
  67  * the payload as a whole. It is possible that the payload has parts where
  68  * the decompressor consumes more input than it produces output. Calculating
  69  * the worst case for this would be tricky. Instead of trying to do that,
  70  * let's simply make sure that the decompressor never overwrites any bytes
  71  * of the payload which it is currently reading.
  72  *
  73  * Now we have enough information to calculate the safety margin. We need
  74  *   - 128 bytes for the .xz file format headers;
  75  *   - 8 bytes per every 32 KiB of uncompressed size (one LZMA2 chunk header
  76  *     per chunk, each chunk having average payload size of 32 KiB); and
  77  *   - 64 KiB (biggest possible LZMA2 chunk payload size) to make sure that
  78  *     the decompressor never overwrites anything from the LZMA2 chunk
  79  *     payload it is currently reading.
  80  *
  81  * We get the following formula:
  82  *
  83  *    safety_margin = 128 + uncompressed_size * 8 / 32768 + 65536
  84  *                  = 128 + (uncompressed_size >> 12) + 65536
  85  *
  86  * For comparison, according to arch/x86/boot/compressed/misc.c, the
  87  * equivalent formula for Deflate is this:
  88  *
  89  *    safety_margin = 18 + (uncompressed_size >> 12) + 32768
  90  *
  91  * Thus, when updating Deflate-only in-place kernel decompressor to
  92  * support XZ, the fixed overhead has to be increased from 18+32768 bytes
  93  * to 128+65536 bytes.
  94  */
  95
  96 /*
  97  * STATIC is defined to "static" if we are being built for kernel
  98  * decompression (pre-boot code). <linux/decompress/mm.h> will define
  99  * STATIC to empty if it wasn't already defined. Since we will need to
 100  * know later if we are being used for kernel decompression, we define
 101  * XZ_PREBOOT here.
 102  */
 103 #ifdef STATIC
 104 #       define XZ_PREBOOT
 105 #else
 106 #include <linux/decompress/unxz.h>
 107 #endif
 108 #ifdef __KERNEL__
 109 #       include <linux/decompress/mm.h>
 110 #endif
 111 #define XZ_EXTERN STATIC
 112
 113 #ifndef XZ_PREBOOT
 114 #       include <linux/slab.h>
 115 #       include <linux/xz.h>
 116 #else
 117 /*
 118  * Use the internal CRC32 code instead of kernel's CRC32 module, which
 119  * is not available in early phase of booting.
 120  */
 121 #define XZ_INTERNAL_CRC32 1
 122
 123 /*
 124  * For boot time use, we enable only the BCJ filter of the current
 125  * architecture or none if no BCJ filter is available for the architecture.
 126  */
 127 #ifdef CONFIG_X86
 128 #       define XZ_DEC_X86
 129 #endif
 130 #ifdef CONFIG_PPC
 131 #       define XZ_DEC_POWERPC
 132 #endif
 133 #ifdef CONFIG_ARM
 134 #       define XZ_DEC_ARM
 135 #endif
 136 #ifdef CONFIG_SPARC
 137 #       define XZ_DEC_SPARC
 138 #endif
 139
 140 /*
 141  * This will get the basic headers so that memeq() and others
 142  * can be defined.
 143  */
 144 #include "xz/xz_private.h"
 145
 146 /*
 147  * Replace the normal allocation functions with the versions from
 148  * <linux/decompress/mm.h>. vfree() needs to support vfree(NULL)
 149  * when XZ_DYNALLOC is used, but the pre-boot free() doesn't support it.
 150  * Workaround it here because the other decompressors don't need it.
 151  */
 152 #undef kmalloc
 153 #undef kfree
 154 #undef vmalloc
 155 #undef vfree
 156 #define kmalloc(size, flags) malloc(size)
 157 #define kfree(ptr) free(ptr)
 158 #define vmalloc(size) malloc(size)
 159 #define vfree(ptr) do { if (ptr != NULL) free(ptr); } while (0)
 160
 161 /*
 162  * FIXME: Not all basic memory functions are provided in architecture-specific
 163  * files (yet). We define our own versions here for now, but this should be
 164  * only a temporary solution.
 165  *
 166  * memeq and memzero are not used much and any remotely sane implementation
 167  * is fast enough. memcpy/memmove speed matters in multi-call mode, but
 168  * the kernel image is decompressed in single-call mode, in which only
 169  * memmove speed can matter and only if there is a lot of incompressible data
 170  * (LZMA2 stores incompressible chunks in uncompressed form). Thus, the
 171  * functions below should just be kept small; it's probably not worth
 172  * optimizing for speed.
 173  */
 174
 175 #ifndef memeq
 176 static bool memeq(const void *a, const void *b, size_t size)
 177 {
 178         const uint8_t *x = a;
 179         const uint8_t *y = b;
 180         size_t i;
 181
 182         for (i = 0; i < size; ++i)
 183                 if (x[i] != y[i])
 184                         return false;
 185
 186         return true;
 187 }
 188 #endif
 189
 190 #ifndef memzero
 191 static void memzero(void *buf, size_t size)
 192 {
 193         uint8_t *b = buf;
 194         uint8_t *e = b + size;
 195
 196         while (b != e)
 197                 *b++ = '\0';
 198 }
 199 #endif
 200
 201 #ifndef memmove
 202 /* Not static to avoid a conflict with the prototype in the Linux headers. */
 203 void *memmove(void *dest, const void *src, size_t size)
 204 {
 205         uint8_t *d = dest;
 206         const uint8_t *s = src;
 207         size_t i;
 208
 209         if (d < s) {
 210                 for (i = 0; i < size; ++i)
 211                         d[i] = s[i];
 212         } else if (d > s) {
 213                 i = size;
 214                 while (i-- > 0)
 215                         d[i] = s[i];
 216         }
 217
 218         return dest;
 219 }
 220 #endif
 221
 222 /*
 223  * Since we need memmove anyway, would use it as memcpy too.
 224  * Commented out for now to avoid breaking things.
 225  */
 226 /*
 227 #ifndef memcpy
 228 #       define memcpy memmove
 229 #endif
 230 */
 231
 232 #include "xz/xz_crc32.c"
 233 #include "xz/xz_dec_stream.c"
 234 #include "xz/xz_dec_lzma2.c"
 235 #include "xz/xz_dec_bcj.c"
 236
 237 #endif /* XZ_PREBOOT */
 238
 239 /* Size of the input and output buffers in multi-call mode */
 240 #define XZ_IOBUF_SIZE 4096
 241
 242 /*
 243  * This function implements the API defined in <linux/decompress/generic.h>.
 244  *
 245  * This wrapper will automatically choose single-call or multi-call mode
 246  * of the native XZ decoder API. The single-call mode can be used only when
 247  * both input and output buffers are available as a single chunk, i.e. when
 248  * fill() and flush() won't be used.
 249  */
 250 STATIC int INIT unxz(unsigned char *in, long in_size,
 251                      long (*fill)(void *dest, unsigned long size),
 252                      long (*flush)(void *src, unsigned long size),
 253                      unsigned char *out, long *in_used,
 254                      void (*error)(char *x))
 255 {
 256         struct xz_buf b;
 257         struct xz_dec *s;
 258         enum xz_ret ret;
 259         bool must_free_in = false;
 260
 261 #if XZ_INTERNAL_CRC32
 262         xz_crc32_init();
 263 #endif
 264
 265         if (in_used != NULL)
 266                 *in_used = 0;
 267
 268         if (fill == NULL && flush == NULL)
 269                 s = xz_dec_init(XZ_SINGLE, 0);
 270         else
 271                 s = xz_dec_init(XZ_DYNALLOC, (uint32_t)-1);
 272
 273         if (s == NULL)
 274                 goto error_alloc_state;
 275
 276         if (flush == NULL) {
 277                 b.out = out;
 278                 b.out_size = (size_t)-1;
 279         } else {
 280                 b.out_size = XZ_IOBUF_SIZE;
 281                 b.out = malloc(XZ_IOBUF_SIZE);
 282                 if (b.out == NULL)
 283                         goto error_alloc_out;
 284         }
 285
 286         if (in == NULL) {
 287                 must_free_in = true;
 288                 in = malloc(XZ_IOBUF_SIZE);
 289                 if (in == NULL)
 290                         goto error_alloc_in;
 291         }
 292
 293         b.in = in;
 294         b.in_pos = 0;
 295         b.in_size = in_size;
 296         b.out_pos = 0;
 297
 298         if (fill == NULL && flush == NULL) {
 299                 ret = xz_dec_run(s, &b);
 300         } else {
 301                 do {
 302                         if (b.in_pos == b.in_size && fill != NULL) {
 303                                 if (in_used != NULL)
 304                                         *in_used += b.in_pos;
 305
 306                                 b.in_pos = 0;
 307
 308                                 in_size = fill(in, XZ_IOBUF_SIZE);
 309                                 if (in_size < 0) {
 310                                         /*
 311                                          * This isn't an optimal error code
 312                                          * but it probably isn't worth making
 313                                          * a new one either.
 314                                          */
 315                                         ret = XZ_BUF_ERROR;
 316                                         break;
 317                                 }
 318
 319                                 b.in_size = in_size;
 320                         }
 321
 322                         ret = xz_dec_run(s, &b);
 323
 324                         if (flush != NULL && (b.out_pos == b.out_size
 325                                         || (ret != XZ_OK && b.out_pos > 0))) {
 326                                 /*
 327                                  * Setting ret here may hide an error
 328                                  * returned by xz_dec_run(), but probably
 329                                  * it's not too bad.
 330                                  */
 331                                 if (flush(b.out, b.out_pos) != (long)b.out_pos)
 332                                         ret = XZ_BUF_ERROR;
 333
 334                                 b.out_pos = 0;
 335                         }
 336                 } while (ret == XZ_OK);
 337
 338                 if (must_free_in)
 339                         free(in);
 340
 341                 if (flush != NULL)
 342                         free(b.out);
 343         }
 344
 345         if (in_used != NULL)
 346                 *in_used += b.in_pos;
 347
 348         xz_dec_end(s);
 349
 350         switch (ret) {
 351         case XZ_STREAM_END:
 352                 return 0;
 353
 354         case XZ_MEM_ERROR:
 355                 /* This can occur only in multi-call mode. */
 356                 error("XZ decompressor ran out of memory");
 357                 break;
 358
 359         case XZ_FORMAT_ERROR:
 360                 error("Input is not in the XZ format (wrong magic bytes)");
 361                 break;
 362
 363         case XZ_OPTIONS_ERROR:
 364                 error("Input was encoded with settings that are not "
 365                                 "supported by this XZ decoder");
 366                 break;
 367
 368         case XZ_DATA_ERROR:
 369         case XZ_BUF_ERROR:
 370                 error("XZ-compressed data is corrupt");
 371                 break;
 372
 373         default:
 374                 error("Bug in the XZ decompressor");
 375                 break;
 376         }
 377
 378         return -1;
 379
 380 error_alloc_in:
 381         if (flush != NULL)
 382                 free(b.out);
 383
 384 error_alloc_out:
 385         xz_dec_end(s);
 386
 387 error_alloc_state:
 388         error("XZ decompressor ran out of memory");
 389         return -1;
 390 }
 391
 392 /*
 393  * This macro is used by architecture-specific files to decompress
 394  * the kernel image.
 395  */
 396 #ifdef XZ_PREBOOT
 397 STATIC int INIT __decompress(unsigned char *buf, long len,
 398                            long (*fill)(void*, unsigned long),
 399                            long (*flush)(void*, unsigned long),
 400                            unsigned char *out_buf, long olen,
 401                            long *pos,
 402                            void (*error)(char *x))
 403 {
 404         return unxz(buf, len, fill, flush, out_buf, pos, error);
 405 }
 406 #endif