1 /*
2 * Wrapper for decompressing XZ-compressed kernel, initramfs, and initrd
3 *
4 * Author: Lasse Collin <lasse.collin@tukaani.org>
5 *
6 * This file has been put into the public domain.
7 * You can do whatever you want with this file.
8 */
9
10 /*
11 * Important notes about in-place decompression
12 *
13 * At least on x86, the kernel is decompressed in place: the compressed data
14 * is placed to the end of the output buffer, and the decompressor overwrites
15 * most of the compressed data. There must be enough safety margin to
16 * guarantee that the write position is always behind the read position.
17 *
18 * The safety margin for XZ with LZMA2 or BCJ+LZMA2 is calculated below.
19 * Note that the margin with XZ is bigger than with Deflate (gzip)!
20 *
21 * The worst case for in-place decompression is that the beginning of
22 * the file is compressed extremely well, and the rest of the file is
23 * uncompressible. Thus, we must look for worst-case expansion when the
24 * compressor is encoding uncompressible data.
25 *
26 * The structure of the .xz file in case of a compresed kernel is as follows.
27 * Sizes (as bytes) of the fields are in parenthesis.
28 *
29 * Stream Header (12)
30 * Block Header:
31 * Block Header (8-12)
32 * Compressed Data (N)
33 * Block Padding (0-3)
34 * CRC32 (4)
35 * Index (8-20)
36 * Stream Footer (12)
37 *
38 * Normally there is exactly one Block, but let's assume that there are
39 * 2-4 Blocks just in case. Because Stream Header and also Block Header
40 * of the first Block don't make the decompressor produce any uncompressed
41 * data, we can ignore them from our calculations. Block Headers of possible
42 * additional Blocks have to be taken into account still. With these
43 * assumptions, it is safe to assume that the total header overhead is
44 * less than 128 bytes.
45 *
46 * Compressed Data contains LZMA2 or BCJ+LZMA2 encoded data. Since BCJ
47 * doesn't change the size of the data, it is enough to calculate the
48 * safety margin for LZMA2.
49 *
50 * LZMA2 stores the data in chunks. Each chunk has a header whose size is
51 * a maximum of 6 bytes, but to get round 2^n numbers, let's assume that
52 * the maximum chunk header size is 8 bytes. After the chunk header, there
53 * may be up to 64 KiB of actual payload in the chunk. Often the payload is
54 * quite a bit smaller though; to be safe, let's assume that an average
55 * chunk has only 32 KiB of payload.
56 *
57 * The maximum uncompressed size of the payload is 2 MiB. The minimum
58 * uncompressed size of the payload is in practice never less than the
59 * payload size itself. The LZMA2 format would allow uncompressed size
60 * to be less than the payload size, but no sane compressor creates such
61 * files. LZMA2 supports storing uncompressible data in uncompressed form,
62 * so there's never a need to create payloads whose uncompressed size is
63 * smaller than the compressed size.
64 *
65 * The assumption, that the uncompressed size of the payload is never
66 * smaller than the payload itself, is valid only when talking about
67 * the payload as a whole. It is possible that the payload has parts where
68 * the decompressor consumes more input than it produces output. Calculating
69 * the worst case for this would be tricky. Instead of trying to do that,
70 * let's simply make sure that the decompressor never overwrites any bytes
71 * of the payload which it is currently reading.
72 *
73 * Now we have enough information to calculate the safety margin. We need
74 * - 128 bytes for the .xz file format headers;
75 * - 8 bytes per every 32 KiB of uncompressed size (one LZMA2 chunk header
76 * per chunk, each chunk having average payload size of 32 KiB); and
77 * - 64 KiB (biggest possible LZMA2 chunk payload size) to make sure that
78 * the decompressor never overwrites anything from the LZMA2 chunk
79 * payload it is currently reading.
80 *
81 * We get the following formula:
82 *
83 * safety_margin = 128 + uncompressed_size * 8 / 32768 + 65536
84 * = 128 + (uncompressed_size >> 12) + 65536
85 *
86 * For comparision, according to arch/x86/boot/compressed/misc.c, the
87 * equivalent formula for Deflate is this:
88 *
89 * safety_margin = 18 + (uncompressed_size >> 12) + 32768
90 *
91 * Thus, when updating Deflate-only in-place kernel decompressor to
92 * support XZ, the fixed overhead has to be increased from 18+32768 bytes
93 * to 128+65536 bytes.
94 */
95
96 #include "decompress.h"
97
98 #define XZ_EXTERN STATIC
99
100 /*
101 * For boot time use, we enable only the BCJ filter of the current
102 * architecture or none if no BCJ filter is available for the architecture.
103 */
104 #ifdef CONFIG_X86
105 # define XZ_DEC_X86
106 #endif
107 #ifdef CONFIG_PPC
108 # define XZ_DEC_POWERPC
109 #endif
110 #ifdef CONFIG_ARM
111 # define XZ_DEC_ARM
112 #endif
113 #ifdef CONFIG_IA64
114 # define XZ_DEC_IA64
115 #endif
116 #ifdef CONFIG_SPARC
117 # define XZ_DEC_SPARC
118 #endif
119
120 /*
121 * This will get the basic headers so that memeq() and others
122 * can be defined.
123 */
124 #include "xz/private.h"
125
126 /*
127 * memeq and memzero are not used much and any remotely sane implementation
128 * is fast enough. memcpy/memmove speed matters in multi-call mode, but
129 * the kernel image is decompressed in single-call mode, in which only
130 * memcpy speed can matter and only if there is a lot of uncompressible data
131 * (LZMA2 stores uncompressible chunks in uncompressed form). Thus, the
132 * functions below should just be kept small; it's probably not worth
133 * optimizing for speed.
134 */
135
136 #ifndef memeq
137 #define memeq(p1, p2, sz) (memcmp(p1, p2, sz) == 0)
138 #endif
139
140 #ifndef memzero
141 #define memzero(p, sz) memset(p, 0, sz)
142 #endif
143
144 #include "xz/crc32.c"
145 #include "xz/dec_stream.c"
146 #include "xz/dec_lzma2.c"
147 #include "xz/dec_bcj.c"
148
149 /* Size of the input and output buffers in multi-call mode */
150 #define XZ_IOBUF_SIZE 4096
151
152 /*
153 * This function implements the API defined in <linux/decompress/generic.h>.
154 *
155 * This wrapper will automatically choose single-call or multi-call mode
156 * of the native XZ decoder API. The single-call mode can be used only when
157 * both input and output buffers are available as a single chunk, i.e. when
158 * fill() and flush() won't be used.
159 */
unxz(unsigned char * in,unsigned int in_size,int (* fill)(void * dest,unsigned int size),int (* flush)(void * src,unsigned int size),unsigned char * out,unsigned int * in_used,void (* error)(const char * x))160 STATIC int INIT unxz(unsigned char *in, unsigned int in_size,
161 int (*fill)(void *dest, unsigned int size),
162 int (*flush)(void *src, unsigned int size),
163 unsigned char *out, unsigned int *in_used,
164 void (*error)(const char *x))
165 {
166 struct xz_buf b;
167 struct xz_dec *s;
168 enum xz_ret ret;
169 bool_t must_free_in = false;
170
171 xz_crc32_init();
172
173 if (in_used != NULL)
174 *in_used = 0;
175
176 if (fill == NULL && flush == NULL)
177 s = xz_dec_init(XZ_SINGLE, 0);
178 else
179 s = xz_dec_init(XZ_DYNALLOC, (uint32_t)-1);
180
181 if (s == NULL)
182 goto error_alloc_state;
183
184 if (flush == NULL) {
185 b.out = out;
186 b.out_size = (size_t)-1;
187 } else {
188 b.out_size = XZ_IOBUF_SIZE;
189 b.out = malloc(XZ_IOBUF_SIZE);
190 if (b.out == NULL)
191 goto error_alloc_out;
192 }
193
194 if (in == NULL) {
195 must_free_in = true;
196 in = malloc(XZ_IOBUF_SIZE);
197 if (in == NULL)
198 goto error_alloc_in;
199 }
200
201 b.in = in;
202 b.in_pos = 0;
203 b.in_size = in_size;
204 b.out_pos = 0;
205
206 if (fill == NULL && flush == NULL) {
207 ret = xz_dec_run(s, &b);
208 } else {
209 do {
210 if (b.in_pos == b.in_size && fill != NULL) {
211 if (in_used != NULL)
212 *in_used += b.in_pos;
213
214 b.in_pos = 0;
215
216 in_size = fill(in, XZ_IOBUF_SIZE);
217 if ((int) in_size < 0) {
218 /*
219 * This isn't an optimal error code
220 * but it probably isn't worth making
221 * a new one either.
222 */
223 ret = XZ_BUF_ERROR;
224 break;
225 }
226
227 b.in_size = in_size;
228 }
229
230 ret = xz_dec_run(s, &b);
231
232 if (flush != NULL && (b.out_pos == b.out_size
233 || (ret != XZ_OK && b.out_pos > 0))) {
234 /*
235 * Setting ret here may hide an error
236 * returned by xz_dec_run(), but probably
237 * it's not too bad.
238 */
239 if (flush(b.out, b.out_pos) != (int)b.out_pos)
240 ret = XZ_BUF_ERROR;
241
242 b.out_pos = 0;
243 }
244 } while (ret == XZ_OK);
245
246 if (must_free_in)
247 free(in);
248
249 if (flush != NULL)
250 free(b.out);
251 }
252
253 if (in_used != NULL)
254 *in_used += b.in_pos;
255
256 xz_dec_end(s);
257
258 switch (ret) {
259 case XZ_STREAM_END:
260 return 0;
261
262 case XZ_MEM_ERROR:
263 /* This can occur only in multi-call mode. */
264 error("XZ decompressor ran out of memory");
265 break;
266
267 case XZ_FORMAT_ERROR:
268 error("Input is not in the XZ format (wrong magic bytes)");
269 break;
270
271 case XZ_OPTIONS_ERROR:
272 error("Input was encoded with settings that are not "
273 "supported by this XZ decoder");
274 break;
275
276 case XZ_DATA_ERROR:
277 case XZ_BUF_ERROR:
278 error("XZ-compressed data is corrupt");
279 break;
280
281 default:
282 error("Bug in the XZ decompressor");
283 break;
284 }
285
286 return -1;
287
288 error_alloc_in:
289 if (flush != NULL)
290 free(b.out);
291
292 error_alloc_out:
293 xz_dec_end(s);
294
295 error_alloc_state:
296 error("XZ decompressor ran out of memory");
297 return -1;
298 }
299
300 /*
301 * This macro is used by architecture-specific files to decompress
302 * the kernel image.
303 */
304 #define decompress unxz
305