Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values

Next message: Eric Biggers: "[PATCH] fscrypt: Fix key setup in edge case with multiple data unit sizes"
Previous message: Michael B&#xFC;sch: "Re: [PATCH 1/4] bcma: host_pci: add BCM4352 device ID 0x43b3"
In reply to: Thorsten Blum: "Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values"
Next in thread: Thorsten Blum: "Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Borislav Petkov

Date: Thu Jun 18 2026 - 14:05:45 EST

On Thu, Jun 18, 2026 at 07:59:09PM +0200, Thorsten Blum wrote:
> On Thu, Jun 18, 2026 at 09:38:56AM -0700, Borislav Petkov wrote:
> > On Thu, Jun 18, 2026 at 05:03:46PM +0200, Thorsten Blum wrote:
> > > get_cmdline_acpi_rsdp() can truncate it into a different, parseable
> > > address and use that instead.
> >
> > How?
>
> The buffer has 19 bytes to hold the "0x" prefix, 16 hex digits, and the
> NUL terminator.
>
> cmdline_find_option() copies only bufsize - 1 bytes, but returns the
> full argument length. So for example:
>
> acpi_rsdp=0x0123456789abcdefx
>
> gets copied as:
>
> 0x0123456789abcdef
>
> which boot_kstrtoul() parses successfully. The user supplied an invalid
> value, but we silently use the truncated prefix as the RSDP address.

My question stands:

"Or are we protecting people from shooting themselves in foot now too?"

Especially users who should know what they're doing...

IOW, how far are we going to "protect" here?

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette