[PATCH 5/8] MIPS: arc: bound firmware command-line construction

[Pengpeng Hou]

The ARC PROM command-line path appends translated firmware variables and
raw arguments into arcs_cmdline with unchecked pointer arithmetic and
memcpy(). A long enough firmware argument set can overrun the fixed
kernel command-line buffer before boot completes.

Use bounded concatenation for both the rewritten ARC variables and the
remaining PROM arguments.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
 arch/mips/fw/arc/cmdline.c | 23 +++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/arch/mips/fw/arc/cmdline.c b/arch/mips/fw/arc/cmdline.c
index 86b0e377b713..d66a6b8216f2 100644
--- a/arch/mips/fw/arc/cmdline.c
+++ b/arch/mips/fw/arc/cmdline.c
@@ -51,18 +51,20 @@
 			len = strlen(used_arc[i][0]);
 
 			if (!strncmp(prom_argv(actr), used_arc[i][0], len)) {
-			/* Ok, we want it. First append the replacement... */
-				strcat(cp, used_arc[i][1]);
-				cp += strlen(used_arc[i][1]);
+				/* Ok, we want it. First append the replacement... */
+				strlcat(arcs_cmdline, used_arc[i][1],
+					COMMAND_LINE_SIZE);
+				cp = arcs_cmdline + strlen(arcs_cmdline);
 				/* ... and now the argument */
 				s = strchr(prom_argv(actr), '=');
 				if (s) {
 					s++;
-					len = strlen(s);
-					memcpy(cp, s, len + 1);
-					cp += len;
+					strlcat(arcs_cmdline, s,
+						COMMAND_LINE_SIZE);
+					cp = arcs_cmdline + strlen(arcs_cmdline);
 				}
-				*cp++ = ' ';
+				strlcat(arcs_cmdline, " ", COMMAND_LINE_SIZE);
+				cp = arcs_cmdline + strlen(arcs_cmdline);
 				break;
 			}
 		}
@@ -95,10 +97,9 @@
 		}
 
 		/* Ok, we want it. */
-		len = strlen(prom_argv(actr));
-		memcpy(cp, prom_argv(actr), len + 1);
-		cp += len;
-		*cp++ = ' ';
+		strlcat(arcs_cmdline, prom_argv(actr), COMMAND_LINE_SIZE);
+		strlcat(arcs_cmdline, " ", COMMAND_LINE_SIZE);
+		cp = arcs_cmdline + strlen(arcs_cmdline);
 
 	pic_cont:
 		actr++;
-- 
2.50.1 (Apple Git-155)