[PATCH 1/8] MIPS: dec: bound PROM command-line appends

Next message: Pengpeng Hou: "[PATCH 0/8] MIPS: bound early command-line construction"
Previous message: Pengpeng Hou: "[PATCH 2/8] MIPS: sni: bound PROM command-line appends"
In reply to: Pengpeng Hou: "[PATCH 2/8] MIPS: sni: bound PROM command-line appends"
Next in thread: Pengpeng Hou: "[PATCH 3/8] MIPS: lemote-2f: bound machtype command-line append"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Sat Apr 04 2026 - 22:32:20 EST

prom_init_cmdline() appends raw firmware arguments into the fixed
arcs_cmdline buffer with strcat() and adds spaces with another unchecked
strcat(). A long enough argument list can therefore run past the end of
the command-line buffer during early boot.

Switch the appends to bounded concatenation so the PROM argument scan
cannot overflow arcs_cmdline.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
arch/mips/dec/prom/cmdline.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/arch/mips/dec/prom/cmdline.c b/arch/mips/dec/prom/cmdline.c
index 3ed63280ae29..954b14c103d2 100644
--- a/arch/mips/dec/prom/cmdline.c
+++ b/arch/mips/dec/prom/cmdline.c
@@ -29,9 +29,13 @@ void __init prom_init_cmdline(s32 argc, s32 *argv, u32 magic)
start_arg = 2;
for (i = start_arg; i < argc; i++) {
arg = (void *)(long)(argv[i]);
- strcat(arcs_cmdline, arg);
- if (i < (argc - 1))
- strcat(arcs_cmdline, " ");
+ if (strlcat(arcs_cmdline, arg, COMMAND_LINE_SIZE) >=
+ COMMAND_LINE_SIZE)
+ break;
+ if (i < (argc - 1) &&
+ strlcat(arcs_cmdline, " ", COMMAND_LINE_SIZE) >=
+ COMMAND_LINE_SIZE)
+ break;
}

#ifdef PROM_DEBUG
--
2.50.1 (Apple Git-155)