1
/* xz_dec_stream.c - .xz Stream decoder */
3
* GRUB -- GRand Unified Bootloader
4
* Copyright (C) 2010 Free Software Foundation, Inc.
6
* GRUB is free software: you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation, either version 3 of the License, or
9
* (at your option) any later version.
11
* GRUB is distributed in the hope that it will be useful,
12
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
* GNU General Public License for more details.
16
* You should have received a copy of the GNU General Public License
17
* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
20
* This file is based on code from XZ embedded project
21
* http://tukaani.org/xz/embedded.html
24
#include "xz_config.h"
25
#include "xz_private.h"
26
#include "xz_stream.h"
28
#include <grub/crypto.h>
30
/* Hash used to validate the Index field */
33
vli_type uncompressed;
34
#ifndef GRUB_EMBED_DECOMPRESSOR
35
uint8_t *crc32_context;
40
/* Position in dec_main() */
54
/* Position in variable-length integers and Check fields */
57
/* Variable-length integer decoded by dec_vli() */
60
/* Saved in_pos and out_pos */
64
/* CRC32 value in Block or Index */
65
uint32_t crc32_temp; /* need for crc32_validate*/
66
uint8_t *crc32_context;
68
/* True if CRC32 is calculated from uncompressed data */
71
/* True if we are operating in single-call mode. */
75
* True if the next call to xz_dec_run() is allowed to return
80
/* Information stored in Block Header */
83
* Value stored in the Compressed Size field, or
84
* VLI_UNKNOWN if Compressed Size is not present.
89
* Value stored in the Uncompressed Size field, or
90
* VLI_UNKNOWN if Uncompressed Size is not present.
92
vli_type uncompressed;
94
/* Size of the Block Header field */
98
/* Information collected when decoding Blocks */
100
/* Observed compressed size of the current Block */
103
/* Observed uncompressed size of the current Block */
104
vli_type uncompressed;
106
/* Number of Blocks decoded so far */
110
* Hash calculated from the Block sizes. This is used to
111
* validate the Index field.
113
struct xz_dec_hash hash;
116
/* Variables needed when verifying the Index field */
118
/* Position in dec_index() */
122
SEQ_INDEX_UNCOMPRESSED
125
/* Size of the Index in bytes */
128
/* Number of Records (matches block.count in valid files) */
132
* Hash calculated from the Records (matches block.hash in
135
struct xz_dec_hash hash;
139
* Temporary buffer needed to hold Stream Header, Block Header,
140
* and Stream Footer. The Block Header is the biggest (1 KiB)
141
* so we reserve space according to that. buf[] has to be aligned
142
* to a multiple of four bytes; the size_t variables before it
143
* should guarantee this.
151
struct xz_dec_lzma2 *lzma2;
154
struct xz_dec_bcj *bcj;
160
* Fill s->temp by copying data starting from b->in[b->in_pos]. Caller
161
* must have set s->temp.pos to indicate how much data we are supposed
162
* to copy into s->temp.buf. Return true once s->temp.pos has reached
165
static bool fill_temp(struct xz_dec *s, struct xz_buf *b)
167
size_t copy_size = min_t(size_t,
168
b->in_size - b->in_pos, s->temp.size - s->temp.pos);
170
memcpy(s->temp.buf + s->temp.pos, b->in + b->in_pos, copy_size);
171
b->in_pos += copy_size;
172
s->temp.pos += copy_size;
174
if (s->temp.pos == s->temp.size) {
182
/* Decode a variable-length integer (little-endian base-128 encoding) */
183
static enum xz_ret dec_vli(struct xz_dec *s,
184
const uint8_t *in, size_t *in_pos, size_t in_size)
191
while (*in_pos < in_size) {
195
s->vli |= (vli_type)(byte & 0x7F) << s->pos;
197
if ((byte & 0x80) == 0) {
198
/* Don't allow non-minimal encodings. */
199
if (byte == 0 && s->pos != 0)
200
return XZ_DATA_ERROR;
203
return XZ_STREAM_END;
207
if (s->pos == 7 * VLI_BYTES_MAX)
208
return XZ_DATA_ERROR;
215
* Decode the Compressed Data field from a Block. Update and validate
216
* the observed compressed and uncompressed sizes of the Block so that
217
* they don't exceed the values possibly stored in the Block Header
218
* (validation assumes that no integer overflow occurs, since vli_type
219
* is normally uint64_t). Update the CRC32 if presence of the CRC32
220
* field was indicated in Stream Header.
222
* Once the decoding is finished, validate that the observed sizes match
223
* the sizes possibly stored in the Block Header. Update the hash and
224
* Block count, which are later used to validate the Index field.
226
static enum xz_ret dec_block(struct xz_dec *s, struct xz_buf *b)
230
s->in_start = b->in_pos;
231
s->out_start = b->out_pos;
235
ret = xz_dec_bcj_run(s->bcj, s->lzma2, b);
238
ret = xz_dec_lzma2_run(s->lzma2, b);
240
s->block.compressed += b->in_pos - s->in_start;
241
s->block.uncompressed += b->out_pos - s->out_start;
244
* There is no need to separately check for VLI_UNKNOWN, since
245
* the observed sizes are always smaller than VLI_UNKNOWN.
247
if (s->block.compressed > s->block_header.compressed
248
|| s->block.uncompressed
249
> s->block_header.uncompressed)
250
return XZ_DATA_ERROR;
252
#ifndef GRUB_EMBED_DECOMPRESSOR
254
GRUB_MD_CRC32->write(s->crc32_context,b->out + s->out_start,
255
b->out_pos - s->out_start);
258
if (ret == XZ_STREAM_END) {
259
if (s->block_header.compressed != VLI_UNKNOWN
260
&& s->block_header.compressed
261
!= s->block.compressed)
262
return XZ_DATA_ERROR;
264
if (s->block_header.uncompressed != VLI_UNKNOWN
265
&& s->block_header.uncompressed
266
!= s->block.uncompressed)
267
return XZ_DATA_ERROR;
269
s->block.hash.unpadded += s->block_header.size
270
+ s->block.compressed;
272
s->block.hash.unpadded += 4;
274
s->block.hash.uncompressed += s->block.uncompressed;
276
#ifndef GRUB_EMBED_DECOMPRESSOR
277
GRUB_MD_CRC32->write(s->block.hash.crc32_context,
278
(const uint8_t *)&s->block.hash, 2 * sizeof(vli_type));
287
/* Update the Index size and the CRC32 value. */
288
static void index_update(struct xz_dec *s, const struct xz_buf *b)
290
size_t in_used = b->in_pos - s->in_start;
291
s->index.size += in_used;
292
#ifndef GRUB_EMBED_DECOMPRESSOR
293
GRUB_MD_CRC32->write(s->crc32_context,b->in + s->in_start, in_used);
298
* Decode the Number of Records, Unpadded Size, and Uncompressed Size
299
* fields from the Index field. That is, Index Padding and CRC32 are not
300
* decoded by this function.
302
* This can return XZ_OK (more input needed), XZ_STREAM_END (everything
303
* successfully decoded), or XZ_DATA_ERROR (input is corrupt).
305
static enum xz_ret dec_index(struct xz_dec *s, struct xz_buf *b)
310
ret = dec_vli(s, b->in, &b->in_pos, b->in_size);
311
if (ret != XZ_STREAM_END) {
316
switch (s->index.sequence) {
317
case SEQ_INDEX_COUNT:
318
s->index.count = s->vli;
321
* Validate that the Number of Records field
322
* indicates the same number of Records as
323
* there were Blocks in the Stream.
325
if (s->index.count != s->block.count)
326
return XZ_DATA_ERROR;
328
s->index.sequence = SEQ_INDEX_UNPADDED;
331
case SEQ_INDEX_UNPADDED:
332
s->index.hash.unpadded += s->vli;
333
s->index.sequence = SEQ_INDEX_UNCOMPRESSED;
336
case SEQ_INDEX_UNCOMPRESSED:
337
s->index.hash.uncompressed += s->vli;
339
#ifndef GRUB_EMBED_DECOMPRESSOR
340
GRUB_MD_CRC32->write(s->index.hash.crc32_context,
341
(const uint8_t *)&s->index.hash, 2 * sizeof(vli_type));
345
s->index.sequence = SEQ_INDEX_UNPADDED;
348
} while (s->index.count > 0);
350
return XZ_STREAM_END;
354
* Validate that the next four input bytes match the value of s->crc32.
355
* s->pos must be zero when starting to validate the first byte.
357
static enum xz_ret crc32_validate(struct xz_dec *s, struct xz_buf *b)
359
#ifndef GRUB_EMBED_DECOMPRESSOR
360
if(s->crc32_temp == 0)
362
GRUB_MD_CRC32->final(s->crc32_context);
363
s->crc32_temp = get_unaligned_be32(GRUB_MD_CRC32->read(s->crc32_context));
368
if (b->in_pos == b->in_size)
371
#ifndef GRUB_EMBED_DECOMPRESSOR
372
if (((s->crc32_temp >> s->pos) & 0xFF) != b->in[b->in_pos++])
373
return XZ_DATA_ERROR;
378
} while (s->pos < 32);
380
#ifndef GRUB_EMBED_DECOMPRESSOR
381
GRUB_MD_CRC32->init(s->crc32_context);
386
return XZ_STREAM_END;
389
/* Decode the Stream Header field (the first 12 bytes of the .xz Stream). */
390
static enum xz_ret dec_stream_header(struct xz_dec *s)
392
if (! memeq(s->temp.buf, HEADER_MAGIC, HEADER_MAGIC_SIZE))
393
return XZ_FORMAT_ERROR;
395
#ifndef GRUB_EMBED_DECOMPRESSOR
396
uint8_t crc32_context[GRUB_MD_CRC32->contextsize];
398
GRUB_MD_CRC32->init(crc32_context);
399
GRUB_MD_CRC32->write(crc32_context,s->temp.buf + HEADER_MAGIC_SIZE, 2);
400
GRUB_MD_CRC32->final(crc32_context);
402
uint32_t resultcrc = get_unaligned_be32(GRUB_MD_CRC32->read(crc32_context));
403
uint32_t readcrc = get_unaligned_le32(s->temp.buf + HEADER_MAGIC_SIZE + 2);
405
if(resultcrc != readcrc)
406
return XZ_DATA_ERROR;
410
* Decode the Stream Flags field. Of integrity checks, we support
411
* only none (Check ID = 0) and CRC32 (Check ID = 1).
413
if (s->temp.buf[HEADER_MAGIC_SIZE] != 0
414
|| s->temp.buf[HEADER_MAGIC_SIZE + 1] > 1)
415
return XZ_OPTIONS_ERROR;
417
s->has_crc32 = s->temp.buf[HEADER_MAGIC_SIZE + 1];
422
/* Decode the Stream Footer field (the last 12 bytes of the .xz Stream) */
423
static enum xz_ret dec_stream_footer(struct xz_dec *s)
425
if (! memeq(s->temp.buf + 10, FOOTER_MAGIC, FOOTER_MAGIC_SIZE))
426
return XZ_DATA_ERROR;
428
#ifndef GRUB_EMBED_DECOMPRESSOR
429
uint8_t crc32_context[GRUB_MD_CRC32->contextsize];
431
GRUB_MD_CRC32->init(crc32_context);
432
GRUB_MD_CRC32->write(crc32_context, s->temp.buf + 4, 6);
433
GRUB_MD_CRC32->final(crc32_context);
435
uint32_t resultcrc = get_unaligned_be32(GRUB_MD_CRC32->read(crc32_context));
436
uint32_t readcrc = get_unaligned_le32(s->temp.buf);
438
if(resultcrc != readcrc)
439
return XZ_DATA_ERROR;
443
* Validate Backward Size. Note that we never added the size of the
444
* Index CRC32 field to s->index.size, thus we use s->index.size / 4
445
* instead of s->index.size / 4 - 1.
447
if ((s->index.size >> 2) != get_le32(s->temp.buf + 4))
448
return XZ_DATA_ERROR;
450
if (s->temp.buf[8] != 0 || s->temp.buf[9] != s->has_crc32)
451
return XZ_DATA_ERROR;
454
* Use XZ_STREAM_END instead of XZ_OK to be more convenient
457
return XZ_STREAM_END;
460
/* Decode the Block Header and initialize the filter chain. */
461
static enum xz_ret dec_block_header(struct xz_dec *s)
466
* Validate the CRC32. We know that the temp buffer is at least
467
* eight bytes so this is safe.
470
#ifndef GRUB_EMBED_DECOMPRESSOR
471
uint8_t crc32_context[GRUB_MD_CRC32->contextsize];
473
GRUB_MD_CRC32->init(crc32_context);
474
GRUB_MD_CRC32->write(crc32_context, s->temp.buf, s->temp.size);
475
GRUB_MD_CRC32->final(crc32_context);
477
uint32_t resultcrc = get_unaligned_be32(GRUB_MD_CRC32->read(crc32_context));
478
uint32_t readcrc = get_unaligned_le32(s->temp.buf + s->temp.size);
480
if (resultcrc != readcrc)
481
return XZ_DATA_ERROR;
487
* Catch unsupported Block Flags. We support only one or two filters
488
* in the chain, so we catch that with the same test.
491
if (s->temp.buf[1] & 0x3E)
493
if (s->temp.buf[1] & 0x3F)
495
return XZ_OPTIONS_ERROR;
497
/* Compressed Size */
498
if (s->temp.buf[1] & 0x40) {
499
if (dec_vli(s, s->temp.buf, &s->temp.pos, s->temp.size)
501
return XZ_DATA_ERROR;
503
s->block_header.compressed = s->vli;
505
s->block_header.compressed = VLI_UNKNOWN;
508
/* Uncompressed Size */
509
if (s->temp.buf[1] & 0x80) {
510
if (dec_vli(s, s->temp.buf, &s->temp.pos, s->temp.size)
512
return XZ_DATA_ERROR;
514
s->block_header.uncompressed = s->vli;
516
s->block_header.uncompressed = VLI_UNKNOWN;
520
/* If there are two filters, the first one must be a BCJ filter. */
521
s->bcj_active = s->temp.buf[1] & 0x01;
523
if (s->temp.size - s->temp.pos < 2)
524
return XZ_OPTIONS_ERROR;
526
ret = xz_dec_bcj_reset(s->bcj, s->temp.buf[s->temp.pos++]);
531
* We don't support custom start offset,
532
* so Size of Properties must be zero.
534
if (s->temp.buf[s->temp.pos++] != 0x00)
535
return XZ_OPTIONS_ERROR;
539
/* Valid Filter Flags always take at least two bytes. */
540
if (s->temp.size - s->temp.pos < 2)
541
return XZ_DATA_ERROR;
543
/* Filter ID = LZMA2 */
544
if (s->temp.buf[s->temp.pos++] != 0x21)
545
return XZ_OPTIONS_ERROR;
547
/* Size of Properties = 1-byte Filter Properties */
548
if (s->temp.buf[s->temp.pos++] != 0x01)
549
return XZ_OPTIONS_ERROR;
551
/* Filter Properties contains LZMA2 dictionary size. */
552
if (s->temp.size - s->temp.pos < 1)
553
return XZ_DATA_ERROR;
555
ret = xz_dec_lzma2_reset(s->lzma2, s->temp.buf[s->temp.pos++]);
559
/* The rest must be Header Padding. */
560
while (s->temp.pos < s->temp.size)
561
if (s->temp.buf[s->temp.pos++] != 0x00)
562
return XZ_OPTIONS_ERROR;
565
s->block.compressed = 0;
566
s->block.uncompressed = 0;
571
static enum xz_ret dec_main(struct xz_dec *s, struct xz_buf *b)
576
* Store the start position for the case when we are in the middle
577
* of the Index field.
579
s->in_start = b->in_pos;
582
switch (s->sequence) {
583
case SEQ_STREAM_HEADER:
585
* Stream Header is copied to s->temp, and then
586
* decoded from there. This way if the caller
587
* gives us only little input at a time, we can
588
* still keep the Stream Header decoding code
589
* simple. Similar approach is used in many places
592
if (!fill_temp(s, b))
595
ret = dec_stream_header(s);
599
s->sequence = SEQ_BLOCK_START;
601
case SEQ_BLOCK_START:
602
/* We need one byte of input to continue. */
603
if (b->in_pos == b->in_size)
606
/* See if this is the beginning of the Index field. */
607
if (b->in[b->in_pos] == 0) {
608
s->in_start = b->in_pos++;
609
s->sequence = SEQ_INDEX;
614
* Calculate the size of the Block Header and
615
* prepare to decode it.
618
= ((uint32_t)b->in[b->in_pos] + 1) * 4;
620
s->temp.size = s->block_header.size;
622
s->sequence = SEQ_BLOCK_HEADER;
624
case SEQ_BLOCK_HEADER:
625
if (!fill_temp(s, b))
628
ret = dec_block_header(s);
632
s->sequence = SEQ_BLOCK_UNCOMPRESS;
634
case SEQ_BLOCK_UNCOMPRESS:
635
ret = dec_block(s, b);
636
if (ret != XZ_STREAM_END)
639
s->sequence = SEQ_BLOCK_PADDING;
641
case SEQ_BLOCK_PADDING:
643
* Size of Compressed Data + Block Padding
644
* must be a multiple of four. We don't need
645
* s->block.compressed for anything else
646
* anymore, so we use it here to test the size
647
* of the Block Padding field.
649
while (s->block.compressed & 3) {
650
if (b->in_pos == b->in_size)
653
if (b->in[b->in_pos++] != 0)
654
return XZ_DATA_ERROR;
656
++s->block.compressed;
659
s->sequence = SEQ_BLOCK_CHECK;
661
case SEQ_BLOCK_CHECK:
663
ret = crc32_validate(s, b);
664
if (ret != XZ_STREAM_END)
668
s->sequence = SEQ_BLOCK_START;
672
ret = dec_index(s, b);
673
if (ret != XZ_STREAM_END)
676
s->sequence = SEQ_INDEX_PADDING;
678
case SEQ_INDEX_PADDING:
679
while ((s->index.size + (b->in_pos - s->in_start))
681
if (b->in_pos == b->in_size) {
686
if (b->in[b->in_pos++] != 0)
687
return XZ_DATA_ERROR;
690
/* Finish the CRC32 value and Index size. */
693
#ifndef GRUB_EMBED_DECOMPRESSOR
694
/* Compare the hashes to validate the Index field. */
695
GRUB_MD_CRC32->final(s->block.hash.crc32_context);
696
GRUB_MD_CRC32->final(s->index.hash.crc32_context);
697
uint32_t block_crc = *(uint32_t*)GRUB_MD_CRC32->read(s->block.hash.crc32_context);
698
uint32_t index_crc = *(uint32_t*)GRUB_MD_CRC32->read(s->index.hash.crc32_context);
700
if (s->block.hash.unpadded != s->index.hash.unpadded
701
|| s->block.hash.uncompressed != s->index.hash.uncompressed
702
|| block_crc != index_crc)
704
return XZ_DATA_ERROR;
708
s->sequence = SEQ_INDEX_CRC32;
710
case SEQ_INDEX_CRC32:
711
ret = crc32_validate(s, b);
712
if (ret != XZ_STREAM_END)
715
s->temp.size = STREAM_HEADER_SIZE;
716
s->sequence = SEQ_STREAM_FOOTER;
718
case SEQ_STREAM_FOOTER:
719
if (!fill_temp(s, b))
722
return dec_stream_footer(s);
730
* xz_dec_run() is a wrapper for dec_main() to handle some special cases in
731
* multi-call and single-call decoding.
733
* In multi-call mode, we must return XZ_BUF_ERROR when it seems clear that we
734
* are not going to make any progress anymore. This is to prevent the caller
735
* from calling us infinitely when the input file is truncated or otherwise
736
* corrupt. Since zlib-style API allows that the caller fills the input buffer
737
* only when the decoder doesn't produce any new output, we have to be careful
738
* to avoid returning XZ_BUF_ERROR too easily: XZ_BUF_ERROR is returned only
739
* after the second consecutive call to xz_dec_run() that makes no progress.
741
* In single-call mode, if we couldn't decode everything and no error
742
* occurred, either the input is truncated or the output buffer is too small.
743
* Since we know that the last input byte never produces any output, we know
744
* that if all the input was consumed and decoding wasn't finished, the file
745
* must be corrupt. Otherwise the output buffer has to be too small or the
746
* file is corrupt in a way that decoding it produces too big output.
748
* If single-call decoding fails, we reset b->in_pos and b->out_pos back to
749
* their original values. This is because with some filter chains there won't
750
* be any valid uncompressed data in the output buffer unless the decoding
751
* actually succeeds (that's the price to pay of using the output buffer as
754
enum xz_ret xz_dec_run(struct xz_dec *s, struct xz_buf *b)
763
in_start = b->in_pos;
764
out_start = b->out_pos;
765
ret = dec_main(s, b);
767
if (s->single_call) {
769
ret = b->in_pos == b->in_size
770
? XZ_DATA_ERROR : XZ_BUF_ERROR;
772
if (ret != XZ_STREAM_END) {
773
b->in_pos = in_start;
774
b->out_pos = out_start;
777
} else if (ret == XZ_OK && in_start == b->in_pos
778
&& out_start == b->out_pos) {
779
if (s->allow_buf_error)
782
s->allow_buf_error = true;
784
s->allow_buf_error = false;
790
#ifdef GRUB_EMBED_DECOMPRESSOR
791
struct xz_dec decoder;
794
struct xz_dec * xz_dec_init(uint32_t dict_max)
797
#ifdef GRUB_EMBED_DECOMPRESSOR
800
s = kmalloc(sizeof(*s), GFP_KERNEL);
805
#ifndef GRUB_EMBED_DECOMPRESSOR
806
/* prepare CRC32 calculators */
807
if(GRUB_MD_CRC32 == NULL)
813
s->crc32_context = kmalloc(GRUB_MD_CRC32->contextsize, GFP_KERNEL);
814
if (s->crc32_context == NULL)
820
s->index.hash.crc32_context = kmalloc(GRUB_MD_CRC32->contextsize, GFP_KERNEL);
821
if (s->index.hash.crc32_context == NULL)
823
kfree(s->crc32_context);
828
s->block.hash.crc32_context = kmalloc(GRUB_MD_CRC32->contextsize, GFP_KERNEL);
829
if (s->block.hash.crc32_context == NULL)
831
kfree(s->index.hash.crc32_context);
832
kfree(s->crc32_context);
838
GRUB_MD_CRC32->init(s->crc32_context);
839
GRUB_MD_CRC32->init(s->index.hash.crc32_context);
840
GRUB_MD_CRC32->init(s->block.hash.crc32_context);
845
s->single_call = dict_max == 0;
848
s->bcj = xz_dec_bcj_create(s->single_call);
853
s->lzma2 = xz_dec_lzma2_create(dict_max);
854
if (s->lzma2 == NULL)
862
xz_dec_bcj_end(s->bcj);
865
#ifndef GRUB_EMBED_DECOMPRESSOR
871
void xz_dec_reset(struct xz_dec *s)
873
s->sequence = SEQ_STREAM_HEADER;
874
s->allow_buf_error = false;
878
#ifndef GRUB_EMBED_DECOMPRESSOR
880
t = s->block.hash.crc32_context;
882
memzero(&s->block, sizeof(s->block));
883
#ifndef GRUB_EMBED_DECOMPRESSOR
884
s->block.hash.crc32_context = t;
885
t = s->index.hash.crc32_context;
887
memzero(&s->index, sizeof(s->index));
888
#ifndef GRUB_EMBED_DECOMPRESSOR
889
s->index.hash.crc32_context = t;
893
s->temp.size = STREAM_HEADER_SIZE;
895
#ifndef GRUB_EMBED_DECOMPRESSOR
896
GRUB_MD_CRC32->init(s->crc32_context);
897
GRUB_MD_CRC32->init(s->index.hash.crc32_context);
898
GRUB_MD_CRC32->init(s->block.hash.crc32_context);
903
void xz_dec_end(struct xz_dec *s)
906
xz_dec_lzma2_end(s->lzma2);
907
#ifndef GRUB_EMBED_DECOMPRESSOR
908
kfree(s->index.hash.crc32_context);
909
kfree(s->block.hash.crc32_context);
910
kfree(s->crc32_context);
913
xz_dec_bcj_end(s->bcj);
915
#ifndef GRUB_EMBED_DECOMPRESSOR