[PATCH] xtensa: iss: bound command line construction in platform_setup()

Next message: Yu-Chun Lin: "Re: [PATCH v6 07/10] clk: realtek: Add support for MMC-tuned PLL clocks"
Previous message: Huihui Huang: "[PATCH v2] staging: media: ipu7: fix boot_config leak on queue_mem failure"
Next in thread: Max Filippov: "Re: [PATCH] xtensa: iss: bound command line construction in platform_setup()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Fri Apr 17 2026 - 03:49:01 EST

platform_setup() concatenates simulator arguments into the fixed
COMMAND_LINE_SIZE cmdline buffer with raw strcat() appends.

The code only checks the size of the argv pointer block that simc_argv()
fills, not the final length of the concatenated command line string, so a
long enough argument list can write past the end of cmdline.

Build the command line with scnprintf() and stop once the fixed buffer is
full.

Fixes: b26d0ab0e6fa ("[XTENSA] Concentrate platforms into one platforms directory.")

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
arch/xtensa/platforms/iss/setup.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/arch/xtensa/platforms/iss/setup.c b/arch/xtensa/platforms/iss/setup.c
index 0f1fe132691e..9bc7f21c9a0c 100644
--- a/arch/xtensa/platforms/iss/setup.c
+++ b/arch/xtensa/platforms/iss/setup.c
@@ -69,15 +69,21 @@ void __init platform_setup(char **p_cmdline)
pr_err("%s: command line too long: argv_size = %d\n",
__func__, argv_size);
} else {
- int i;
+ int i, len = 0;

cmdline[0] = 0;
simc_argv((void *)argv);

for (i = 1; i < argc; ++i) {
- if (i > 1)
- strcat(cmdline, " ");
- strcat(cmdline, argv[i]);
+ len += scnprintf(cmdline + len,
+ COMMAND_LINE_SIZE - len,
+ "%s%s", i > 1 ? " " : "",
+ argv[i]);
+ if (len >= COMMAND_LINE_SIZE - 1) {
+ pr_err("%s: command line too long\n",
+ __func__);
+ break;
+ }
}
*p_cmdline = cmdline;
}
--
2.50.1 (Apple Git-155)