[PATCH] ARM: atags_compat: bound the deprecated command line copy
From: Pengpeng Hou
Date: Sat Apr 04 2026 - 04:51:43 EST
`build_tag_list()` still converts the deprecated `param_struct`
command line with `strlen()` and `strcpy()` from a fixed
`commandline[COMMAND_LINE_SIZE]` array.
That source buffer is not locally proven NUL-terminated before the
conversion runs, so malformed old boot parameters can make the helper
read past the end of the source array while sizing or copying the ATAG
command line.
Use `strnlen()` against the source buffer size and copy the bounded
length with an explicit terminator.
Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
arch/arm/kernel/atags_compat.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/arch/arm/kernel/atags_compat.c b/arch/arm/kernel/atags_compat.c
index 10da11c212cc..aa149710f0c0 100644
--- a/arch/arm/kernel/atags_compat.c
+++ b/arch/arm/kernel/atags_compat.c
@@ -92,6 +92,7 @@ static struct tag * __init memtag(struct tag *tag, unsigned long start, unsigned
static void __init build_tag_list(struct param_struct *params, void *taglist)
{
struct tag *tag = taglist;
+ size_t cmdline_len;
if (params->u1.s.page_size != PAGE_SIZE) {
pr_warn("Warning: bad configuration page, trying to continue\n");
@@ -195,9 +196,11 @@ static void __init build_tag_list(struct param_struct *params, void *taglist)
tag = tag_next(tag);
tag->hdr.tag = ATAG_CMDLINE;
- tag->hdr.size = (strlen(params->commandline) + 3 +
+ cmdline_len = strnlen(params->commandline, sizeof(params->commandline));
+ tag->hdr.size = (cmdline_len + 1 + 3 +
sizeof(struct tag_header)) >> 2;
- strcpy(tag->u.cmdline.cmdline, params->commandline);
+ memcpy(tag->u.cmdline.cmdline, params->commandline, cmdline_len);
+ tag->u.cmdline.cmdline[cmdline_len] = '\0';
tag = tag_next(tag);
tag->hdr.tag = ATAG_NONE;
--
2.50.1 (Apple Git-155)