[PATCH 4/4] um: account for the separator in add_arg() bounds checking

Next message: Pengpeng Hou: "[PATCH 3/4] powerpc/pseries/ibmebus: reject zero-length bus attribute writes"
Previous message: Pengpeng Hou: "[PATCH 1/4] tracing/probe: reject empty immediate strings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Mon Mar 30 2026 - 02:29:56 EST

add_arg() checks whether command_line and arg fit in the fixed
COMMAND_LINE_SIZE buffer, but when command_line is non-empty it inserts
an additional space before appending arg. The current guard does not
account for that separator, so a non-empty command line can pass the
check and still overflow by one byte.

Count the separator when command_line already contains data.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
arch/um/kernel/um_arch.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/um/kernel/um_arch.c b/arch/um/kernel/um_arch.c
index e2b24e1ecfa6..93eebaf1d236 100644
--- a/arch/um/kernel/um_arch.c
+++ b/arch/um/kernel/um_arch.c
@@ -44,7 +44,12 @@ static char __initdata command_line[COMMAND_LINE_SIZE] = { 0 };

static void __init add_arg(char *arg)
{
- if (strlen(command_line) + strlen(arg) + 1 > COMMAND_LINE_SIZE) {
+ size_t len = strlen(command_line) + strlen(arg) + 1;
+
+ if (command_line[0])
+ len++;
+
+ if (len > COMMAND_LINE_SIZE) {
os_warn("add_arg: Too many command line arguments!\n");
exit(1);
}
--
2.50.1 (Apple Git-155)