Re: [PATCH] arm64: pi: validate bootargs before parsing them

Next message: Pengpeng Hou: "Re: [PATCH 1/2] x86/setup_data: validate indirect entry sizes before dereferencing them"
Previous message: Pengpeng Hou: "[PATCH net v2] nfc: pn533: allocate rx skb before consuming bytes"
In reply to: Will Deacon: "Re: [PATCH] arm64: pi: validate bootargs before parsing them"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Sat Apr 04 2026 - 22:16:45 EST

Hi Will,

Thanks, that's a fair question.

The reason I cared here is not that we can make every malformed FDT survive
cleanly, but that this particular caller turns a raw property into an
unbounded C string immediately:

fdt_getprop() -> strlen() -> __parse_cmdline()

If `bootargs` is not NUL-terminated within the property bounds, `strlen()`
can walk past the property before the parser even starts. By contrast, a
NUL-terminated but semantically bogus string stays within the property bounds
and is then just handled as bad/ignored command-line content.

So the issue I was trying to harden is specifically “raw FDT property becomes
a C string without a local bound check”, not malformed DT handling in the
broadest sense.

You're also right to ask about scope. I do not think every early
`fdt_getprop()` caller should be converted mechanically; the ones that matter
here are the callers that immediately feed raw properties into unbounded
string helpers or parsers. This arm64 PI bootargs path is one of those.

I will rework this around that boundary instead of pushing this one caller in
isolation. In other words, I will audit the same early-bootargs family of
callers and only convert the ones that have this direct
`raw property -> unbounded C-string helper/parser` shape.

Thanks,
Pengpeng