[PATCH RESEND 1/2] x86/boot: validate earlyprintk= baud rate
From: Thorsten Blum
Date: Wed May 13 2026 - 12:50:38 EST
parse_earlyprintk() parses the baud rate from the earlyprintk= boot
parameter with simple_strtoull(), stores it in an int, and passes it to
early_serial_init() without validating its range first. Large rates can
then be truncated to a non-zero int, after which early_serial_init()
computes the UART divisor from a potentially corrupted baud rate.
Validate the parsed baud rate before narrowing it to int and only accept
rates from 2 to BASE_BAUD, which fit in the 16-bit divisor written to
DLL/DLH.
Values greater than BASE_BAUD would produce divisor 0, and
baud 1 would produce divisor BASE_BAUD, which exceeds 16 bits.
Only parse the baud rate when a usable port has been selected, since
baud is not used otherwise.
Fall back to DEFAULT_BAUD for out-of-range values.
Signed-off-by: Thorsten Blum <thorsten.blum@xxxxxxxxx>
---
arch/x86/boot/early_serial_console.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/arch/x86/boot/early_serial_console.c b/arch/x86/boot/early_serial_console.c
index 023bf1c3de8b..ad12b377cce0 100644
--- a/arch/x86/boot/early_serial_console.c
+++ b/arch/x86/boot/early_serial_console.c
@@ -22,6 +22,7 @@
#define DLH 1 /* Divisor latch High */
#define DEFAULT_BAUD 9600
+#define BASE_BAUD (1843200/16)
static void early_serial_init(int port, int baud)
{
@@ -89,16 +90,20 @@ static void parse_earlyprintk(void)
if (arg[pos] == ',')
pos++;
- baud = simple_strtoull(arg + pos, &e, 0);
- if (baud == 0 || arg + pos == e)
- baud = DEFAULT_BAUD;
+ /* Parse the baud rate only if a usable port is selected. */
+ if (port) {
+ unsigned long long parsed_baud;
+
+ parsed_baud = simple_strtoull(arg + pos, NULL, 0);
+ if (parsed_baud >= 2 && parsed_baud <= BASE_BAUD)
+ baud = (int)parsed_baud;
+ }
}
if (port)
early_serial_init(port, baud);
}
-#define BASE_BAUD (1843200/16)
static unsigned int probe_baud(int port)
{
unsigned char lcr, dll, dlh;