[PATCH] MIPS: validate DT bootargs before appending them

Next message: Changhuang Liang: "[PATCH v1 05/13] clk: starfive: Add peripheral-0 domain PLL clock driver"
Previous message: Pengpeng Hou: "[PATCH] arc: validate DT CPU map strings before parsing them"
Next in thread: Sergey Shtylyov: "Re: [PATCH] MIPS: validate DT bootargs before appending them"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Fri Apr 03 2026 - 01:51:26 EST

bootcmdline_scan_chosen() fetches the raw flat-DT bootargs property and
passes it straight to bootcmdline_append(). That helper later feeds the
same pointer into strlcat(), which computes strlen(src) before copying.
Flat DT properties are external boot input, and this path does not
prove that bootargs is NUL-terminated within its declared bounds.

Reject unterminated bootargs properties before appending them to the
kernel command line.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
arch/mips/kernel/setup.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c
index f9b228e33f3b..dd7915110820 100644
--- a/arch/mips/kernel/setup.c
+++ b/arch/mips/kernel/setup.c
@@ -31,6 +31,7 @@
#include <linux/of_fdt.h>
#include <linux/dmi.h>
#include <linux/crash_dump.h>
+#include <linux/string.h>

#include <asm/addrspace.h>
#include <asm/bootinfo.h>
@@ -541,6 +542,9 @@ static int __init bootcmdline_scan_chosen(unsigned long node, const char *uname,

p = of_get_flat_dt_prop(node, "bootargs", &l);
if (p != NULL && l > 0) {
+ if (!memchr(p, '\0', l))
+ return 1;
+
bootcmdline_append(p, min(l, COMMAND_LINE_SIZE));
*dt_bootargs = true;
}
--
2.50.1 (Apple Git-155)