[PATCH] Revert "kexec/powerpc: Handle buffer overflow in kernel command line"

Simon Horman horms at verge.net.au
Tue Apr 16 09:54:29 EDT 2013 

On Tue, Apr 16, 2013 at 09:04:31PM +0800, Zhang Yanfei wrote:
> Hi Simon,
> 
> I found that you may apply the patch from Suzuki with a wrong commit
> description by mistake. So I send this revert patch and resend the
> patch in another mail with a subject:
>     "[PATCH RESEND] kexec/powerpc: Handle buffer overflow in kernel command line"
> 
> Could you please apply the two patches?

Sorry for my carelessness.

I have removed the patch I applied earlier today, applied the
one you posted after this one and forcibly pushed the result.

> 
> Thanks
> Zhang
> 
> 于 2013年04月16日 20:59, Zhang Yanfei 写道:
> > From: Zhang Yanfei <zhangyanfei at cn.fujitsu.com>
> > 
> > This reverts commit d58dcae3e61b375578ff3145e627a5d85afb5f52.
> > 
> > The commit description is kind of wrong and maybe caused by Simon
> > when he applied the patch.
> > 
> > Signed-off-by: Zhang Yanfei <zhangyanfei at cn.fujitsu.com>
> > ---
> >  kexec/arch/ppc/kexec-elf-ppc.c    |   29 +++++++++++++----------------
> >  kexec/arch/ppc/kexec-uImage-ppc.c |   23 +++++++++--------------
> >  2 files changed, 22 insertions(+), 30 deletions(-)
> > 
> > diff --git a/kexec/arch/ppc/kexec-elf-ppc.c b/kexec/arch/ppc/kexec-elf-ppc.c
> > index 98cae9c..3daca2d 100644
> > --- a/kexec/arch/ppc/kexec-elf-ppc.c
> > +++ b/kexec/arch/ppc/kexec-elf-ppc.c
> > @@ -157,7 +157,7 @@ int elf_ppc_load(int argc, char **argv,	const char *buf, off_t len,
> >  	struct mem_ehdr ehdr;
> >  	char *command_line, *crash_cmdline, *cmdline_buf;
> >  	char *tmp_cmdline;
> > -	int command_line_len, crash_cmdline_len;
> > +	int command_line_len;
> >  	char *dtb;
> >  	int result;
> >  	char *error_msg;
> > @@ -244,10 +244,19 @@ int elf_ppc_load(int argc, char **argv,	const char *buf, off_t len,
> >  	} else {
> >  		command_line = get_command_line();
> >  	}
> > -	command_line_len = strlen(command_line);
> > +	command_line_len = strlen(command_line) + 1;
> >  
> >  	fixup_nodes[cur_fixup] = NULL;
> >  
> > +	/* Need to append some command line parameters internally in case of
> > +	 * taking crash dumps.
> > +	 */
> > +	if (info->kexec_flags & KEXEC_ON_CRASH) {
> > +		crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
> > +		memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
> > +	} else
> > +		crash_cmdline = NULL;
> > +
> >  	/* Parse the Elf file */
> >  	result = build_elf_exec_info(buf, len, &ehdr, 0);
> >  	if (result < 0) {
> > @@ -283,23 +292,16 @@ int elf_ppc_load(int argc, char **argv,	const char *buf, off_t len,
> >  		goto out;
> >  	}
> >  
> > -	/*
> > -	 * Need to append some command line parameters internally in case of
> > -	 * taking crash dumps. Additional segments need to be created.
> > +	/* If panic kernel is being loaded, additional segments need
> > +	 * to be created.
> >  	 */
> >  	if (info->kexec_flags & KEXEC_ON_CRASH) {
> > -		crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
> > -		memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
> >  		result = load_crashdump_segments(info, crash_cmdline,
> >  						max_addr, 0);
> >  		if (result < 0) {
> >  			result = -1;
> >  			goto out;
> >  		}
> > -		crash_cmdline_len = strlen(crash_cmdline);
> > -	} else {
> > -		crash_cmdline = NULL;
> > -		crash_cmdline_len = 0;
> >  	}
> >  
> >  	/*
> > @@ -335,11 +337,6 @@ int elf_ppc_load(int argc, char **argv,	const char *buf, off_t len,
> >  
> >  	info->entry = (void *)arg_base;
> >  #else
> > -	if (crash_cmdline_len + command_line_len + 1 > COMMAND_LINE_SIZE) {
> > -		printf("Kernel command line exceeds size\n");
> > -		return -1;
> > -	}
> > -
> >  	cmdline_buf = xmalloc(COMMAND_LINE_SIZE);
> >  	memset((void *)cmdline_buf, 0, COMMAND_LINE_SIZE);
> >  	if (command_line)
> > diff --git a/kexec/arch/ppc/kexec-uImage-ppc.c b/kexec/arch/ppc/kexec-uImage-ppc.c
> > index 008463b..9113fbe 100644
> > --- a/kexec/arch/ppc/kexec-uImage-ppc.c
> > +++ b/kexec/arch/ppc/kexec-uImage-ppc.c
> > @@ -82,7 +82,7 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
> >  {
> >  	char *command_line, *cmdline_buf, *crash_cmdline;
> >  	char *tmp_cmdline;
> > -	int command_line_len, crash_cmdline_len;
> > +	int command_line_len;
> >  	char *dtb;
> >  	unsigned int addr;
> >  	unsigned long dtb_addr;
> > @@ -178,34 +178,29 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
> >  
> >  	add_segment(info, buf, len, load_addr, len + _1MiB);
> >  
> > -
> >  	if (info->kexec_flags & KEXEC_ON_CRASH) {
> >                  crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
> >                  memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
> > +        } else
> > +                crash_cmdline = NULL;
> > +
> > +	if (info->kexec_flags & KEXEC_ON_CRASH) {
> >  		ret = load_crashdump_segments(info, crash_cmdline,
> >  						max_addr, 0);
> >  		if (ret < 0) {
> >  			ret = -1;
> >  			goto out;
> >  		}
> > -		crash_cmdline_len = strlen(crash_cmdline);
> > -	} else {
> > -		crash_cmdline = NULL;
> > -		crash_cmdline_len = 0;
> > -	}
> > -
> > -	if (crash_cmdline_len + command_line_len + 1 > COMMAND_LINE_SIZE) {
> > -		printf("Kernel command line exceeds maximum possible length\n");
> > -		return -1;
> >  	}
> >  
> >  	cmdline_buf = xmalloc(COMMAND_LINE_SIZE);
> >  	memset((void *)cmdline_buf, 0, COMMAND_LINE_SIZE);
> > -
> >  	if (command_line)
> > -		strcpy(cmdline_buf, command_line);
> > +		strncat(cmdline_buf, command_line, command_line_len);
> >  	if (crash_cmdline)
> > -		strncat(cmdline_buf, crash_cmdline, crash_cmdline_len);
> > +		strncat(cmdline_buf, crash_cmdline,
> > +			sizeof(crash_cmdline) -
> > +			strlen(crash_cmdline) - 1);
> >  
> >  	elf_rel_build_load(info, &info->rhdr, (const char *)purgatory,
> >  				purgatory_size, 0, -1, -1, 0);
>

More information about the kexec mailing list