[PATCH] kexec/powerpc: Handle buffer overflow in kernel command line

Tue Apr 2 04:03:19 EDT 2013

From: Suzuki K. Poulose <suzuki at in.ibm.com>

Enforce size check for kernel command line to make sure it
doesn't overflow COMMAND_LINE_SIZE.

Reported-by: Nathan D. Miller <nathanm2 at us.ibm.com>
Signed-off-by: Suzuki K. Poulose <suzuki at in.ibm.com>
---
 kexec/arch/ppc/kexec-elf-ppc.c    |   41 ++++++++++++++++++-------------------
 kexec/arch/ppc/kexec-uImage-ppc.c |   31 ++++++++++++++--------------
 2 files changed, 35 insertions(+), 37 deletions(-)

diff --git a/kexec/arch/ppc/kexec-elf-ppc.c b/kexec/arch/ppc/kexec-elf-ppc.c
index 5f63a64..7ba8421 100644
--- a/kexec/arch/ppc/kexec-elf-ppc.c
+++ b/kexec/arch/ppc/kexec-elf-ppc.c
@@ -156,7 +156,7 @@ int elf_ppc_load(int argc, char **argv,	const char *buf, off_t len,
 {
 	struct mem_ehdr ehdr;
 	char *command_line, *crash_cmdline, *cmdline_buf;
-	int command_line_len;
+	int command_line_len, crash_cmdline_len;
 	char *dtb;
 	int result;
 	unsigned long max_addr, hole_addr;
@@ -233,27 +233,15 @@ int elf_ppc_load(int argc, char **argv,	const char *buf, off_t len,
 	}
 
 	command_line_len = 0;
-	if (command_line) {
-		command_line_len = strlen(command_line) + 1;
-	} else {
+	if (!command_line)
 		command_line = get_command_line();
-		command_line_len = strlen(command_line) + 1;
-	}
+	command_line_len = strlen(command_line);
 
 	if (ramdisk && reuse_initrd)
 		die("Can't specify --ramdisk or --initrd with --reuseinitrd\n");
 
 	fixup_nodes[cur_fixup] = NULL;
 
-	/* Need to append some command line parameters internally in case of
-	 * taking crash dumps.
-	 */
-	if (info->kexec_flags & KEXEC_ON_CRASH) {
-		crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
-		memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
-	} else
-		crash_cmdline = NULL;
-
 	/* Parse the Elf file */
 	result = build_elf_exec_info(buf, len, &ehdr, 0);
 	if (result < 0) {
@@ -291,26 +279,37 @@ int elf_ppc_load(int argc, char **argv,	const char *buf, off_t len,
 		return result;
 	}
 
-	/* If panic kernel is being loaded, additional segments need
-	 * to be created.
+	/*
+	 * Need to append some command line parameters internally in case of
+	 * taking crash dumps. Additional segments have to be loaded for panic
+	 * kernel.
 	 */
 	if (info->kexec_flags & KEXEC_ON_CRASH) {
+		crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
+		memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
 		result = load_crashdump_segments(info, crash_cmdline,
 						max_addr, 0);
 		if (result < 0) {
 			free(crash_cmdline);
 			return -1;
 		}
+		crash_cmdline_len = strlen(crash_cmdline);
+	} else {
+		crash_cmdline = NULL;
+		crash_cmdline_len = 0;
 	}
 
+	if (crash_cmdline_len + command_line_len + 1 > COMMAND_LINE_SIZE) {
+		printf ("Command line buffer overflow\n");
+		return -1;
+	}
+		
 	cmdline_buf = xmalloc(COMMAND_LINE_SIZE);
 	memset((void *)cmdline_buf, 0, COMMAND_LINE_SIZE);
 	if (command_line)
-		strncat(cmdline_buf, command_line, command_line_len);
+		strcpy(cmdline_buf, command_line);
 	if (crash_cmdline)
-		strncat(cmdline_buf, crash_cmdline,
-				sizeof(crash_cmdline) -
-				strlen(crash_cmdline) - 1);
+		strncat(cmdline_buf, crash_cmdline, crash_cmdline_len);
 
 	/*
 	 * In case of a toy we take the hardcoded things and an easy setup via
diff --git a/kexec/arch/ppc/kexec-uImage-ppc.c b/kexec/arch/ppc/kexec-uImage-ppc.c
index 900cd16..0c96bac 100644
--- a/kexec/arch/ppc/kexec-uImage-ppc.c
+++ b/kexec/arch/ppc/kexec-uImage-ppc.c
@@ -81,7 +81,7 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
 		unsigned int ep)
 {
 	char *command_line, *cmdline_buf, *crash_cmdline;
-	int command_line_len;
+	int command_line_len, crash_cmdline_len;
 	char *dtb;
 	unsigned int addr;
 	unsigned long dtb_addr;
@@ -140,13 +140,10 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
 		die("Can't specify --ramdisk or --initrd with --reuseinitrd\n");
 
 	command_line_len = 0;
-	if (command_line) {
-		command_line_len = strlen(command_line) + 1;
-	} else {
+	if (!command_line)
 		command_line = get_command_line();
-		command_line_len = strlen(command_line) + 1;
-	}
 
+	command_line_len = strlen(command_line);
 	fixup_nodes[cur_fixup] = NULL;
 
 	/*
@@ -179,25 +176,27 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
 	if (info->kexec_flags & KEXEC_ON_CRASH) {
                 crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
                 memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
-        } else
-                crash_cmdline = NULL;
-
-	if (info->kexec_flags & KEXEC_ON_CRASH) {
 		ret = load_crashdump_segments(info, crash_cmdline,
 						max_addr, 0);
-		if (ret < 0) {
+		if (ret < 0)
 			return -1;
-		}
+		crash_cmdline_len = strlen(crash_cmdline);
+	} else {
+		crash_cmdline = NULL;
+		crash_cmdline_len = 0;
+	}
+
+	if (command_line_len + crash_cmdline_len + 1 > COMMAND_LINE_SIZE) {
+		printf("Command line buffer overflow \n");
+		return -1;
 	}
 
 	cmdline_buf = xmalloc(COMMAND_LINE_SIZE);
 	memset((void *)cmdline_buf, 0, COMMAND_LINE_SIZE);
 	if (command_line)
-		strncat(cmdline_buf, command_line, command_line_len);
+		strcpy(cmdline_buf, command_line);
 	if (crash_cmdline)
-		strncat(cmdline_buf, crash_cmdline,
-			sizeof(crash_cmdline) -
-			strlen(crash_cmdline) - 1);
+		strncat(cmdline_buf, crash_cmdline, crash_cmdline_len);
 
 	elf_rel_build_load(info, &info->rhdr, (const char *)purgatory,
 				purgatory_size, 0, -1, -1, 0);


