Re: [PATCH] xtensa: iss: bound command line construction in platform_setup()

[Max Filippov]

On Fri, Apr 17, 2026 at 12:42 AM Pengpeng Hou <pengpeng@xxxxxxxxxxx> wrote:
>
> platform_setup() concatenates simulator arguments into the fixed
> COMMAND_LINE_SIZE cmdline buffer with raw strcat() appends.
>
> The code only checks the size of the argv pointer block that simc_argv()
> fills, not the final length of the concatenated command line string, so a
> long enough argument list can write past the end of cmdline.

This cannot happen, because simc_argv_size() returns total size of the
args block. For each argument it includes an argv pointer (4 bytes), the
corresponding string and its null-terminator character). That means
that the total size of all argv strings with spaces between them and a null
terminator is less than the value returned by the simc_argv_size().

> Build the command line with scnprintf() and stop once the fixed buffer is
> full.
>
> Fixes: b26d0ab0e6fa ("[XTENSA] Concentrate platforms into one platforms directory.")
>
> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
> ---
>  arch/xtensa/platforms/iss/setup.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/arch/xtensa/platforms/iss/setup.c b/arch/xtensa/platforms/iss/setup.c
> index 0f1fe132691e..9bc7f21c9a0c 100644
> --- a/arch/xtensa/platforms/iss/setup.c
> +++ b/arch/xtensa/platforms/iss/setup.c
> @@ -69,15 +69,21 @@ void __init platform_setup(char **p_cmdline)
>                         pr_err("%s: command line too long: argv_size = %d\n",
>                                __func__, argv_size);
>                 } else {
> -                       int i;
> +                       int i, len = 0;
>
>                         cmdline[0] = 0;
>                         simc_argv((void *)argv);
>
>                         for (i = 1; i < argc; ++i) {
> -                               if (i > 1)
> -                                       strcat(cmdline, " ");
> -                               strcat(cmdline, argv[i]);
> +                               len += scnprintf(cmdline + len,
> +                                                COMMAND_LINE_SIZE - len,
> +                                                "%s%s", i > 1 ? " " : "",
> +                                                argv[i]);
> +                               if (len >= COMMAND_LINE_SIZE - 1) {
> +                                       pr_err("%s: command line too long\n",
> +                                              __func__);
> +                                       break;
> +                               }
>                         }
>                         *p_cmdline = cmdline;

This assignment would still happen even in case an overflow's
been detected.

>                 }
> --
> 2.50.1 (Apple Git-155)
>

-- 
Thanks.
-- Max