From nobody Wed Apr  1 20:39:02 2026
Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21])
	(using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3FE7244B696
	for <linux-kernel@vger.kernel.org>; Wed,  1 Apr 2026 16:03:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=159.226.251.21
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775059407; cv=none;
 b=IvzJmTshbiGflwDbiD0CF8w9HISgkpBbMszxPl9DkWlYKR+S84+l+bQmwFf7jT6LxUfzlHllvjnckEJ3ID5ZDqOHlGQ6rhleh2fp1a8xTLlB7KFVRYlBwjth/4flOi5NghhtDL2sA+f1Nk103wJY66abIf1Seyb2lZdZ1VFR48M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775059407; c=relaxed/simple;
	bh=kLCpBh+kXKm1IS1WXkKI4f1fJcG4R24Q96MddVSuLXY=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=ASZhNca/+AH6K8l7EBZxxqJa50XFucXRLnM9gaS2DYgn4VX+mYUJ65rc5HDb8SwzFiQdZGrBq+J2kYAzheqjhIEqpzBkA8v9J1/NLSZwgao2TXVkB7MRV05CMhXvt9l+aIxYkUS6v/6HZTk3Vq27t4wafVDvOo0APOakVOlrYFw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=iscas.ac.cn;
 spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=iscas.ac.cn
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=iscas.ac.cn
Received: from localhost.localdomain (unknown [111.196.245.197])
	by APP-01 (Coremail) with SMTP id qwCowAB3IGzDQc1psRThCw--.44119S2;
	Thu, 02 Apr 2026 00:03:15 +0800 (CST)
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
To: maddy@linux.ibm.com
Cc: mpe@ellerman.id.au,
	npiggin@gmail.com,
	chleroy@kernel.org,
	linuxppc-dev@lists.ozlabs.org,
	linux-kernel@vger.kernel.org,
	pengpeng@iscas.ac.cn
Subject: [PATCH] powerpc/boot: reject oversized path properties before string
 lookups
Date: Thu,  2 Apr 2026 00:03:14 +0800
Message-ID: <20260401160314.88502-1-pengpeng@iscas.ac.cn>
X-Mailer: git-send-email 2.50.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-CM-TRANSID: qwCowAB3IGzDQc1psRThCw--.44119S2
X-Coremail-Antispam: 1UD129KBjvJXoW7tFWrXrWDZF43JrWkXFy5urg_yoW5JF4fpF
	95KF4ku3ykKrWxGFySyF13X3y5uF4Iyr4UGwsrJa4qyFy3X3yvgFZxKFy5tw13Jr4ruFy0
	y3y3AF98Cr47Jw7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDU0xBIdaVrnRJUUUkG14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
	rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
	1l84ACjcxK6xIIjxv20xvE14v26r4j6ryUM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j
	6F4UM28EF7xvwVC2z280aVAFwI0_Jr0_Gr1l84ACjcxK6I8E87Iv6xkF7I0E14v26r4j6r
	4UJwAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0
	I7IYx2IY67AKxVWUXVWUAwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r
	4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwCY1x0262kKe7AKxVWU
	AVWUtwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14
	v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_JF0_Jw1lIxkG
	c2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI
	0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4U
	MIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUQo7NUUU
	UU=
X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/
Content-Type: text/plain; charset="utf-8"

The boot wrapper reads alias, stdout-path, and device_type properties
with getprop() and then passes them to finddevice() and strcmp() as C
strings. getprop() reports a length but does not append a trailing NUL,
so these lookups can run past the fixed stack buffers.

Introduce a small boot-side string helper and make it reject properties
that do not fit in their destination buffers.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 arch/powerpc/boot/ops.h    | 25 ++++++++++++++++++++++++-
 arch/powerpc/boot/serial.c |  7 ++++---
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/arch/powerpc/boot/ops.h b/arch/powerpc/boot/ops.h
index a40c2162a4e9..06149b4f2555 100644
--- a/arch/powerpc/boot/ops.h
+++ b/arch/powerpc/boot/ops.h
@@ -106,6 +106,29 @@ static inline int getprop(void *devp, const char *name=
, void *buf, int buflen)
 	return (dt_ops.getprop) ? dt_ops.getprop(devp, name, buf, buflen) : -1;
 }
=20
+static inline int getprop_str(void *devp, const char *name, char *buf,
+			      int buflen)
+{
+	int len;
+
+	if (buflen <=3D 0)
+		return -1;
+
+	len =3D getprop(devp, name, buf, buflen);
+	if (len <=3D 0) {
+		buf[0] =3D '\0';
+		return len;
+	}
+
+	if (len >=3D buflen) {
+		buf[buflen - 1] =3D '\0';
+		return -1;
+	}
+	buf[len] =3D '\0';
+
+	return len;
+}
+
 static inline int setprop(void *devp, const char *name,
                           const void *buf, int buflen)
 {
@@ -172,7 +195,7 @@ static inline void *find_node_by_alias(const char *alia=
s)
=20
 	if (devp) {
 		char path[MAX_PATH_LEN];
-		if (getprop(devp, alias, path, MAX_PATH_LEN) > 0)
+		if (getprop_str(devp, alias, path, MAX_PATH_LEN) > 0)
 			return finddevice(path);
 	}
=20
diff --git a/arch/powerpc/boot/serial.c b/arch/powerpc/boot/serial.c
index c6d32a8c3612..074e69d66974 100644
--- a/arch/powerpc/boot/serial.c
+++ b/arch/powerpc/boot/serial.c
@@ -90,13 +90,14 @@ static void *serial_get_stdout_devp(void)
 	if (devp =3D=3D NULL)
 		goto err_out;
=20
-	if (getprop(devp, "linux,stdout-path", path, MAX_PATH_LEN) > 0 ||
-		getprop(devp, "stdout-path", path, MAX_PATH_LEN) > 0) {
+	if (getprop_str(devp, "linux,stdout-path", path, MAX_PATH_LEN) > 0 ||
+	    getprop_str(devp, "stdout-path", path, MAX_PATH_LEN) > 0) {
 		devp =3D finddevice(path);
 		if (devp =3D=3D NULL)
 			goto err_out;
=20
-		if ((getprop(devp, "device_type", devtype, sizeof(devtype)) > 0)
+		if ((getprop_str(devp, "device_type", devtype,
+				 sizeof(devtype)) > 0)
 				&& !strcmp(devtype, "serial"))
 			return devp;
 	}
--=20
2.50.1 (Apple Git-155)