Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values

Next message: Andy Shevchenko: "Re: [PATCH v2 0/1] gpiolib: acpi: Add quirk for ASUS ROG Strix G16 G614 series"
Previous message: Andy Shevchenko: "Re: [PATCH v2 1/2] iio: chemical: sps30: update email"
In reply to: Borislav Petkov: "Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values"
Next in thread: Borislav Petkov: "Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Thorsten Blum

Date: Thu Jun 18 2026 - 13:59:27 EST

On Thu, Jun 18, 2026 at 09:38:56AM -0700, Borislav Petkov wrote:
> On Thu, Jun 18, 2026 at 05:03:46PM +0200, Thorsten Blum wrote:
> > get_cmdline_acpi_rsdp() can truncate it into a different, parseable
> > address and use that instead.
>
> How?

The buffer has 19 bytes to hold the "0x" prefix, 16 hex digits, and the
NUL terminator.

cmdline_find_option() copies only bufsize - 1 bytes, but returns the
full argument length. So for example:

acpi_rsdp=0x0123456789abcdefx

gets copied as:

0x0123456789abcdef

which boot_kstrtoul() parses successfully. The user supplied an invalid
value, but we silently use the truncated prefix as the RSDP address.