[PATCH 2/8] MIPS: sni: bound PROM command-line appends

Next message: Pengpeng Hou: "[PATCH 1/8] MIPS: dec: bound PROM command-line appends"
Previous message: kernel test robot: "Re: [PATCH] fuse: Send FORGET over io_uring when ring is ready"
In reply to: Pengpeng Hou: "[PATCH 0/8] MIPS: bound early command-line construction"
Next in thread: Pengpeng Hou: "[PATCH 1/8] MIPS: dec: bound PROM command-line appends"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Sat Apr 04 2026 - 22:32:20 EST

prom_init() copies SNI PROM arguments into arcs_cmdline with unchecked
strcat() calls for both the argument text and the separating spaces. A
long enough PROM command line can therefore overflow the fixed kernel
command-line buffer during boot.

Use bounded concatenation for the copied arguments and separators.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
arch/mips/fw/sni/sniprom.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/arch/mips/fw/sni/sniprom.c b/arch/mips/fw/sni/sniprom.c
index 74975e115950..61f4b9f70d30 100644
--- a/arch/mips/fw/sni/sniprom.c
+++ b/arch/mips/fw/sni/sniprom.c
@@ -142,8 +142,12 @@ void __init prom_init(void)

/* copy prom cmdline parameters to kernel cmdline */
for (i = 1; i < argc; i++) {
- strcat(arcs_cmdline, (char *)CKSEG0ADDR(argv[i]));
- if (i < (argc - 1))
- strcat(arcs_cmdline, " ");
+ if (strlcat(arcs_cmdline, (char *)CKSEG0ADDR(argv[i]),
+ COMMAND_LINE_SIZE) >= COMMAND_LINE_SIZE)
+ break;
+ if (i < (argc - 1) &&
+ strlcat(arcs_cmdline, " ", COMMAND_LINE_SIZE) >=
+ COMMAND_LINE_SIZE)
+ break;
}
}
--
2.50.1 (Apple Git-155)