[PATCH v3] x86/boot: Reject overlong acpi_rsdp= values
From: Thorsten Blum
Date: Sun Jun 21 2026 - 13:01:48 EST
cmdline_find_option() returns the full length of the acpi_rsdp= value
even if it is truncated. However, get_cmdline_acpi_rsdp() only checks
whether acpi_rsdp= is present and does not reject overlong values that
do not fit in the buffer.
Reject overlong values and warn to prevent boot_kstrtoul() from parsing
a truncated value and thus from silently using the wrong RSDP address.
Fixes: 3c98e71b42a7 ("x86/boot: Add "acpi_rsdp=" early parsing")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Thorsten Blum <thorsten.blum@xxxxxxxxx>
---
Changes in v3:
- Drop the newline as warn() already prints newlines around the message
- v2: https://lore.kernel.org/r/20260621131836.175468-2-thorsten.blum@xxxxxxxxx/
Changes in v2:
- Warn on overlong acpi_rsdp= values (Boris)
- v1: https://lore.kernel.org/r/20260617130417.36651-4-thorsten.blum@xxxxxxxxx/
---
arch/x86/boot/compressed/acpi.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/x86/boot/compressed/acpi.c b/arch/x86/boot/compressed/acpi.c
index f196b1d1ddf8..aed27604c11f 100644
--- a/arch/x86/boot/compressed/acpi.c
+++ b/arch/x86/boot/compressed/acpi.c
@@ -184,10 +184,15 @@ static unsigned long get_cmdline_acpi_rsdp(void)
char val[MAX_ADDR_LEN] = { };
int ret;
- ret = cmdline_find_option("acpi_rsdp", val, MAX_ADDR_LEN);
+ ret = cmdline_find_option("acpi_rsdp", val, sizeof(val));
if (ret < 0)
return 0;
+ if (ret >= sizeof(val)) {
+ warn("acpi_rsdp= value too long; ignoring");
+ return 0;
+ }
+
if (boot_kstrtoul(val, 16, &addr))
return 0;
#endif