From nobody Sun Jun 14 14:32:48 2026 Received: from cstnet.cn (smtp25.cstnet.cn [159.226.251.25]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF57827057D for ; Sat, 4 Apr 2026 08:51:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.25 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775292689; cv=none; b=s9uIZTDOsSbEmFNcIQAdm7tpZVZ4HYn8mkIjmxuVCcS+cYP7u8/sj7BY3Iu5Mv/CqvOLqbPw250v06rkOiaMgDQTxh/sNQF9mJrR5/pUY7Tp5tKtCs9AWkjrfO9W52DDZ/XUCJKWmGlkY8Aj6jOX5R/vYrJy7lQvColgIHwuKlk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775292689; c=relaxed/simple; bh=wTkZRq7s/+WqPhk8L4v78sUPRmj6rDfJZ7jna4n5EEk=; h=From:Date:Message-ID:To:Cc:Subject; b=G2uYnaWxbkl3xLvcqeX5k9quZ0Oni+OoUJNOTmT/dljG3UUSP3Zw5uWYSjjTVuqS1wJeyxwO7o9Ijnjn9vomFdB8EiPgka4oXddqxhJoI+tqPmzSG6abr6MzRAPOw6v8VMVdBYDcCvdY/ES01PCP9v9jpXXm3fOP2wV9NW+QX88= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.25 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from 0004-arm-atags.eml (unknown [111.196.245.197]) by APP-05 (Coremail) with SMTP id zQCowADnfBAG0dBpILVzDA--.7642S2; Sat, 04 Apr 2026 16:51:18 +0800 (CST) From: Pengpeng Hou Date: Fri, 3 Apr 2026 16:56:31 +0800 Message-ID: <20260404101004.4-arm-atags-pengpeng@iscas.ac.cn> To: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn Subject: [PATCH] ARM: atags_compat: bound the deprecated command line copy X-CM-TRANSID: zQCowADnfBAG0dBpILVzDA--.7642S2 X-Coremail-Antispam: 1UD129KBjvJXoW7Kr4xur13Jw43Jw43Ww43trb_yoW8CF1Dp3 Wj9wn8Kw4rJF4UA347XFWkua4S9wn2v3srt34DJ345XF1DtF1xXFWFg342934vq3yfAF12 vF4DtFWYk343AaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkv14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2jI8I6cxK6x804I0_Grv_XF1l8cAvFVAK0II2c7 xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW5JVW7JwA2z4x0Y4vE 2Ix0cI8IcVCY1x0267AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwV C2z280aVCY1x0267AKxVW0oVCq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC 0VAKzVAqx4xG6I80ewAv7VC0I7IYx2IY67AKxVWUAVWUtwAv7VC2z280aVAFwI0_Jr0_Gr 1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48IcVAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIF xwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r 1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jrv_JF1lIxkGc2Ij 64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr 0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF 0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUkKsUUUUUU= X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" `build_tag_list()` still converts the deprecated `param_struct` command line with `strlen()` and `strcpy()` from a fixed `commandline[COMMAND_LINE_SIZE]` array. That source buffer is not locally proven NUL-terminated before the conversion runs, so malformed old boot parameters can make the helper read past the end of the source array while sizing or copying the ATAG command line. Use `strnlen()` against the source buffer size and copy the bounded length with an explicit terminator. Signed-off-by: Pengpeng Hou --- arch/arm/kernel/atags_compat.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/arm/kernel/atags_compat.c b/arch/arm/kernel/atags_compat.c index 10da11c212cc..aa149710f0c0 100644 --- a/arch/arm/kernel/atags_compat.c +++ b/arch/arm/kernel/atags_compat.c @@ -92,6 +92,7 @@ static struct tag * __init memtag(struct tag *tag, unsign= ed long start, unsigned static void __init build_tag_list(struct param_struct *params, void *tagli= st) { struct tag *tag =3D taglist; + size_t cmdline_len; =20 if (params->u1.s.page_size !=3D PAGE_SIZE) { pr_warn("Warning: bad configuration page, trying to continue\n"); @@ -195,9 +196,11 @@ static void __init build_tag_list(struct param_struct = *params, void *taglist) =20 tag =3D tag_next(tag); tag->hdr.tag =3D ATAG_CMDLINE; - tag->hdr.size =3D (strlen(params->commandline) + 3 + + cmdline_len =3D strnlen(params->commandline, sizeof(params->commandline)); + tag->hdr.size =3D (cmdline_len + 1 + 3 + sizeof(struct tag_header)) >> 2; - strcpy(tag->u.cmdline.cmdline, params->commandline); + memcpy(tag->u.cmdline.cmdline, params->commandline, cmdline_len); + tag->u.cmdline.cmdline[cmdline_len] =3D '\0'; =20 tag =3D tag_next(tag); tag->hdr.tag =3D ATAG_NONE; --=20 2.50.1 (Apple Git-155)