zircon/system/ulib/fvm/fvm.cc - fuchsia - Git at Google

 // Copyright 2017 The Fuchsia Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include <fcntl.h>
 #include <inttypes.h>
 #include <stdbool.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/stat.h>
 #include <unistd.h>
 #include <zircon/assert.h>

 #include <fvm/fvm.h>

 #ifdef __Fuchsia__
 #include <lib/zx/vmo.h>
 #include <zircon/syscalls.h>
 #endif

 #include <zircon/compiler.h>
 #include <zircon/types.h>

 #include <fbl/algorithm.h>
 #include <fbl/unique_fd.h>
 #include <fvm/format.h>

 namespace fvm {

 namespace {

 // Return true if g1 is greater than or equal to g2.
 // Safe against integer overflow.
 bool GenerationGE(uint64_t g1, uint64_t g2) {
   if (g1 == UINT64_MAX && g2 == 0) {
     return false;
   } else if (g1 == 0 && g2 == UINT64_MAX) {
     return true;
   }
   return g1 >= g2;
 }

 // Validate the metadata's hash value.
 // Returns 'true' if it matches, 'false' otherwise.
 bool CheckHash(const void* metadata, size_t metadata_size) {
   ZX_ASSERT(metadata_size >= sizeof(Header));
   const Header* header = static_cast<const Header*>(metadata);
   const void* metadata_after_hash =
       reinterpret_cast<const void*>(header->hash + sizeof(header->hash));
   uint8_t empty_hash[sizeof(header->hash)];
   memset(empty_hash, 0, sizeof(empty_hash));

   digest::Digest digest;
   digest.Init();
   digest.Update(metadata, offsetof(Header, hash));
   digest.Update(empty_hash, sizeof(empty_hash));
   digest.Update(metadata_after_hash,
                 metadata_size - (offsetof(Header, hash) + sizeof(header->hash)));
   digest.Final();
   return digest == header->hash;
 }

 }  // namespace

 void UpdateHash(void* metadata, size_t metadata_size) {
   Header* header = static_cast<Header*>(metadata);
   memset(header->hash, 0, sizeof(header->hash));
   digest::Digest digest;
   const uint8_t* hash = digest.Hash(metadata, metadata_size);
   memcpy(header->hash, hash, sizeof(header->hash));
 }

 std::optional<SuperblockType> ValidateHeader(const void* primary_metadata,
                                              const void* secondary_metadata, size_t metadata_size) {
   const Header* primary_header = static_cast<const Header*>(primary_metadata);
   size_t primary_metadata_size = primary_header->GetMetadataUsedBytes();

   const Header* secondary_header = static_cast<const Header*>(secondary_metadata);
   size_t secondary_metadata_size = secondary_header->GetMetadataUsedBytes();

   auto check_value_consistency = [metadata_size](const Header& header) {
     // Check header signature and version.
     if (header.magic != kMagic) {
       fprintf(stderr, "fvm: Bad magic\n");
       return false;
     }
     if (header.format_version > kCurrentFormatVersion) {
       fprintf(stderr,
               "fvm: Header format version (=%" PRIu64 ") does not match fvm driver (=%" PRIu64
               ")\n",
               header.format_version, kCurrentFormatVersion);
       return false;
     }

     // Check no overflow for each region of metadata.
     uint64_t calculated_metadata_size = 0;
     if (add_overflow(header.allocation_table_size, header.GetAllocationTableOffset(),
                      &calculated_metadata_size)) {
       fprintf(stderr, "fvm: Calculated metadata size produces overflow(%" PRIu64 ", %zu).\n",
               header.allocation_table_size, header.GetAllocationTableOffset());
       return false;
     }

     // Check that the reported metadata size matches the calculated metadata size by format info.
     // This may be slightly redundant since presumably the caller who passed in the metadata_size
     // computed it from the header values, but it's useful to check for the backup copy.
     if (header.GetMetadataUsedBytes() > metadata_size) {
       fprintf(stderr,
               "fvm: Reported metadata size of %zu is smaller than header buffer size %zu.\n",
               header.GetMetadataUsedBytes(), metadata_size);
       return false;
     }

     // Check metadata size is as least as big as the header.
     if (header.GetMetadataUsedBytes() < sizeof(Header)) {
       fprintf(stderr,
               "fvm: Reported metadata size of %zu is smaller than header buffer size %lu.\n",
               header.GetMetadataUsedBytes(), sizeof(Header));
       return false;
     }

     // Check metadata allocated size is greater than used size.
     if (header.GetMetadataUsedBytes() > header.GetMetadataAllocatedBytes()) {
       fprintf(stderr, "fvm: Reported metadata size of %zu is greater than allocated size %lu.\n",
               header.GetMetadataUsedBytes(), header.GetMetadataAllocatedBytes());
       return false;
     }

     // Check bounds of slice size and partition.
     if (header.fvm_partition_size < 2 * header.GetMetadataAllocatedBytes()) {
       fprintf(stderr,
               "fvm: Partition of size %" PRIu64 " can't fit both metadata copies of size %zu.\n",
               header.fvm_partition_size, header.GetMetadataAllocatedBytes());
       return false;
     }

     // Check that addressable slices fit in the partition.
     if (header.GetDataStartOffset() +
             (header.GetAllocationTableUsedEntryCount() * header.slice_size) >
         header.fvm_partition_size) {
       fprintf(stderr,
               "fvm: Slice count %zu Slice Size %" PRIu64 " out of range for partition sz %" PRIu64
               ".\n",
               header.GetAllocationTableUsedEntryCount(), header.slice_size,
               header.fvm_partition_size);
       return false;
     }

     return true;
   };

   // Assume that the reported metadata size by each header is correct. This size must be smaller
   // than metadata buffer size(|metadata_size|. If this is the case, then check that the contents
   // from [start, reported_size] are valid.
   // The metadata size should always be at least the size of the header.
   bool primary_valid = false;
   if (check_value_consistency(*primary_header)) {
     if (CheckHash(primary_metadata, primary_metadata_size)) {
       primary_valid = true;
     } else {
       fprintf(stderr, "fvm: Primary metadata has invalid content hash\n");
     }
   }
   if (!primary_valid) {
     fprintf(stderr, "fvm: Primary metadata invalid\n");
   }
   bool secondary_valid = false;
   if (check_value_consistency(*secondary_header)) {
     if (CheckHash(secondary_metadata, secondary_metadata_size)) {
       secondary_valid = true;
     } else {
       fprintf(stderr, "fvm: Secondary metadata has invalid content hash\n");
     }
   }
   if (!secondary_valid) {
     fprintf(stderr, "fvm: Secondary metadata invalid\n");
   }

   // Decide if we should use the primary or the secondary copy of metadata for reading.
   if (!primary_valid && !secondary_valid) {
     return std::nullopt;
   }

   if (primary_valid && !secondary_valid) {
     return SuperblockType::kPrimary;
   }
   if (!primary_valid && secondary_valid) {
     return SuperblockType::kSecondary;
   }

   // Both valid, pick the newest.
   return GenerationGE(primary_header->generation, secondary_header->generation)
              ? SuperblockType::kPrimary
              : SuperblockType::kSecondary;
 }

 }  // namespace fvm
	// Copyright 2017 The Fuchsia Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include <fcntl.h>
	#include <inttypes.h>
	#include <stdbool.h>
	#include <stddef.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/stat.h>
	#include <unistd.h>
	#include <zircon/assert.h>

	#include <fvm/fvm.h>

	#ifdef __Fuchsia__
	#include <lib/zx/vmo.h>
	#include <zircon/syscalls.h>
	#endif

	#include <zircon/compiler.h>
	#include <zircon/types.h>

	#include <fbl/algorithm.h>
	#include <fbl/unique_fd.h>
	#include <fvm/format.h>

	namespace fvm {

	namespace {

	// Return true if g1 is greater than or equal to g2.
	// Safe against integer overflow.
	bool GenerationGE(uint64_t g1, uint64_t g2) {
	if (g1 == UINT64_MAX && g2 == 0) {
	return false;
	} else if (g1 == 0 && g2 == UINT64_MAX) {
	return true;
	}
	return g1 >= g2;
	}

	// Validate the metadata's hash value.
	// Returns 'true' if it matches, 'false' otherwise.
	bool CheckHash(const void* metadata, size_t metadata_size) {
	ZX_ASSERT(metadata_size >= sizeof(Header));
	const Header* header = static_cast<const Header*>(metadata);
	const void* metadata_after_hash =
	reinterpret_cast<const void*>(header->hash + sizeof(header->hash));
	uint8_t empty_hash[sizeof(header->hash)];
	memset(empty_hash, 0, sizeof(empty_hash));

	digest::Digest digest;
	digest.Init();
	digest.Update(metadata, offsetof(Header, hash));
	digest.Update(empty_hash, sizeof(empty_hash));
	digest.Update(metadata_after_hash,
	metadata_size - (offsetof(Header, hash) + sizeof(header->hash)));
	digest.Final();
	return digest == header->hash;
	}

	} // namespace

	void UpdateHash(void* metadata, size_t metadata_size) {
	Header* header = static_cast<Header*>(metadata);
	memset(header->hash, 0, sizeof(header->hash));
	digest::Digest digest;
	const uint8_t* hash = digest.Hash(metadata, metadata_size);
	memcpy(header->hash, hash, sizeof(header->hash));
	}

	std::optional<SuperblockType> ValidateHeader(const void* primary_metadata,
	const void* secondary_metadata, size_t metadata_size) {
	const Header* primary_header = static_cast<const Header*>(primary_metadata);
	size_t primary_metadata_size = primary_header->GetMetadataUsedBytes();

	const Header* secondary_header = static_cast<const Header*>(secondary_metadata);
	size_t secondary_metadata_size = secondary_header->GetMetadataUsedBytes();

	auto check_value_consistency = [metadata_size](const Header& header) {
	// Check header signature and version.
	if (header.magic != kMagic) {
	fprintf(stderr, "fvm: Bad magic\n");
	return false;
	}
	if (header.format_version > kCurrentFormatVersion) {
	fprintf(stderr,
	"fvm: Header format version (=%" PRIu64 ") does not match fvm driver (=%" PRIu64
	")\n",
	header.format_version, kCurrentFormatVersion);
	return false;
	}

	// Check no overflow for each region of metadata.
	uint64_t calculated_metadata_size = 0;
	if (add_overflow(header.allocation_table_size, header.GetAllocationTableOffset(),
	&calculated_metadata_size)) {
	fprintf(stderr, "fvm: Calculated metadata size produces overflow(%" PRIu64 ", %zu).\n",
	header.allocation_table_size, header.GetAllocationTableOffset());
	return false;
	}

	// Check that the reported metadata size matches the calculated metadata size by format info.
	// This may be slightly redundant since presumably the caller who passed in the metadata_size
	// computed it from the header values, but it's useful to check for the backup copy.
	if (header.GetMetadataUsedBytes() > metadata_size) {
	fprintf(stderr,
	"fvm: Reported metadata size of %zu is smaller than header buffer size %zu.\n",
	header.GetMetadataUsedBytes(), metadata_size);
	return false;
	}

	// Check metadata size is as least as big as the header.
	if (header.GetMetadataUsedBytes() < sizeof(Header)) {
	fprintf(stderr,
	"fvm: Reported metadata size of %zu is smaller than header buffer size %lu.\n",
	header.GetMetadataUsedBytes(), sizeof(Header));
	return false;
	}

	// Check metadata allocated size is greater than used size.
	if (header.GetMetadataUsedBytes() > header.GetMetadataAllocatedBytes()) {
	fprintf(stderr, "fvm: Reported metadata size of %zu is greater than allocated size %lu.\n",
	header.GetMetadataUsedBytes(), header.GetMetadataAllocatedBytes());
	return false;
	}

	// Check bounds of slice size and partition.
	if (header.fvm_partition_size < 2 * header.GetMetadataAllocatedBytes()) {
	fprintf(stderr,
	"fvm: Partition of size %" PRIu64 " can't fit both metadata copies of size %zu.\n",
	header.fvm_partition_size, header.GetMetadataAllocatedBytes());
	return false;
	}

	// Check that addressable slices fit in the partition.
	if (header.GetDataStartOffset() +
	(header.GetAllocationTableUsedEntryCount() * header.slice_size) >
	header.fvm_partition_size) {
	fprintf(stderr,
	"fvm: Slice count %zu Slice Size %" PRIu64 " out of range for partition sz %" PRIu64
	".\n",
	header.GetAllocationTableUsedEntryCount(), header.slice_size,
	header.fvm_partition_size);
	return false;
	}

	return true;
	};

	// Assume that the reported metadata size by each header is correct. This size must be smaller
	// than metadata buffer size(\|metadata_size\|. If this is the case, then check that the contents
	// from [start, reported_size] are valid.
	// The metadata size should always be at least the size of the header.
	bool primary_valid = false;
	if (check_value_consistency(*primary_header)) {
	if (CheckHash(primary_metadata, primary_metadata_size)) {
	primary_valid = true;
	} else {
	fprintf(stderr, "fvm: Primary metadata has invalid content hash\n");
	}
	}
	if (!primary_valid) {
	fprintf(stderr, "fvm: Primary metadata invalid\n");
	}
	bool secondary_valid = false;
	if (check_value_consistency(*secondary_header)) {
	if (CheckHash(secondary_metadata, secondary_metadata_size)) {
	secondary_valid = true;
	} else {
	fprintf(stderr, "fvm: Secondary metadata has invalid content hash\n");
	}
	}
	if (!secondary_valid) {
	fprintf(stderr, "fvm: Secondary metadata invalid\n");
	}

	// Decide if we should use the primary or the secondary copy of metadata for reading.
	if (!primary_valid && !secondary_valid) {
	return std::nullopt;
	}

	if (primary_valid && !secondary_valid) {
	return SuperblockType::kPrimary;
	}
	if (!primary_valid && secondary_valid) {
	return SuperblockType::kSecondary;
	}

	// Both valid, pick the newest.
	return GenerationGE(primary_header->generation, secondary_header->generation)
	? SuperblockType::kPrimary
	: SuperblockType::kSecondary;
	}

	} // namespace fvm