From: Zhang Yanfei <zhangyanfei.yes@gmail.com>
To: "Suzuki K. Poulose" <suzuki@in.ibm.com>
Cc: horms@verge.net.au, kexec@lists.infradead.org
Subject: Re: [PATCH] kexec/powerpc: Handle buffer overflow in kernel command line
Date: Tue, 02 Apr 2013 18:58:07 +0800 [thread overview]
Message-ID: <515AB9BF.5080104@gmail.com> (raw)
In-Reply-To: <20130402080307.16143.41901.stgit@suzukikp.in.ibm.com>
Hello Suzuki,
Conflicts occur when I tried to apply the patch to latest kexec-tools by
using git am.
Applying: kexec/powerpc: Handle buffer overflow in kernel command line
/data/kexec-tools/.git/rebase-apply/patch:79: trailing whitespace.
error: patch failed: kexec/arch/ppc/kexec-elf-ppc.c:156
error: kexec/arch/ppc/kexec-elf-ppc.c: patch does not apply
error: patch failed: kexec/arch/ppc/kexec-uImage-ppc.c:81
error: kexec/arch/ppc/kexec-uImage-ppc.c: patch does not apply
Patch failed at 0001 kexec/powerpc: Handle buffer overflow in kernel command line
When you have resolved this problem run "git am --resolved".
If you would prefer to skip this patch, instead run "git am --skip".
To restore the original branch and stop patching run "git am --abort".
Thanks
Zhang
于 2013年04月02日 16:03, Suzuki K. Poulose 写道:
> From: Suzuki K. Poulose <suzuki@in.ibm.com>
>
> Enforce size check for kernel command line to make sure it
> doesn't overflow COMMAND_LINE_SIZE.
>
> Reported-by: Nathan D. Miller <nathanm2@us.ibm.com>
> Signed-off-by: Suzuki K. Poulose <suzuki@in.ibm.com>
> ---
> kexec/arch/ppc/kexec-elf-ppc.c | 41 ++++++++++++++++++-------------------
> kexec/arch/ppc/kexec-uImage-ppc.c | 31 ++++++++++++++--------------
> 2 files changed, 35 insertions(+), 37 deletions(-)
>
> diff --git a/kexec/arch/ppc/kexec-elf-ppc.c b/kexec/arch/ppc/kexec-elf-ppc.c
> index 5f63a64..7ba8421 100644
> --- a/kexec/arch/ppc/kexec-elf-ppc.c
> +++ b/kexec/arch/ppc/kexec-elf-ppc.c
> @@ -156,7 +156,7 @@ int elf_ppc_load(int argc, char **argv, const char *buf, off_t len,
> {
> struct mem_ehdr ehdr;
> char *command_line, *crash_cmdline, *cmdline_buf;
> - int command_line_len;
> + int command_line_len, crash_cmdline_len;
> char *dtb;
> int result;
> unsigned long max_addr, hole_addr;
> @@ -233,27 +233,15 @@ int elf_ppc_load(int argc, char **argv, const char *buf, off_t len,
> }
>
> command_line_len = 0;
> - if (command_line) {
> - command_line_len = strlen(command_line) + 1;
> - } else {
> + if (!command_line)
> command_line = get_command_line();
> - command_line_len = strlen(command_line) + 1;
> - }
> + command_line_len = strlen(command_line);
>
> if (ramdisk && reuse_initrd)
> die("Can't specify --ramdisk or --initrd with --reuseinitrd\n");
>
> fixup_nodes[cur_fixup] = NULL;
>
> - /* Need to append some command line parameters internally in case of
> - * taking crash dumps.
> - */
> - if (info->kexec_flags & KEXEC_ON_CRASH) {
> - crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
> - memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
> - } else
> - crash_cmdline = NULL;
> -
> /* Parse the Elf file */
> result = build_elf_exec_info(buf, len, &ehdr, 0);
> if (result < 0) {
> @@ -291,26 +279,37 @@ int elf_ppc_load(int argc, char **argv, const char *buf, off_t len,
> return result;
> }
>
> - /* If panic kernel is being loaded, additional segments need
> - * to be created.
> + /*
> + * Need to append some command line parameters internally in case of
> + * taking crash dumps. Additional segments have to be loaded for panic
> + * kernel.
> */
> if (info->kexec_flags & KEXEC_ON_CRASH) {
> + crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
> + memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
> result = load_crashdump_segments(info, crash_cmdline,
> max_addr, 0);
> if (result < 0) {
> free(crash_cmdline);
> return -1;
> }
> + crash_cmdline_len = strlen(crash_cmdline);
> + } else {
> + crash_cmdline = NULL;
> + crash_cmdline_len = 0;
> }
>
> + if (crash_cmdline_len + command_line_len + 1 > COMMAND_LINE_SIZE) {
> + printf ("Command line buffer overflow\n");
> + return -1;
> + }
> +
> cmdline_buf = xmalloc(COMMAND_LINE_SIZE);
> memset((void *)cmdline_buf, 0, COMMAND_LINE_SIZE);
> if (command_line)
> - strncat(cmdline_buf, command_line, command_line_len);
> + strcpy(cmdline_buf, command_line);
> if (crash_cmdline)
> - strncat(cmdline_buf, crash_cmdline,
> - sizeof(crash_cmdline) -
> - strlen(crash_cmdline) - 1);
> + strncat(cmdline_buf, crash_cmdline, crash_cmdline_len);
>
> /*
> * In case of a toy we take the hardcoded things and an easy setup via
> diff --git a/kexec/arch/ppc/kexec-uImage-ppc.c b/kexec/arch/ppc/kexec-uImage-ppc.c
> index 900cd16..0c96bac 100644
> --- a/kexec/arch/ppc/kexec-uImage-ppc.c
> +++ b/kexec/arch/ppc/kexec-uImage-ppc.c
> @@ -81,7 +81,7 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
> unsigned int ep)
> {
> char *command_line, *cmdline_buf, *crash_cmdline;
> - int command_line_len;
> + int command_line_len, crash_cmdline_len;
> char *dtb;
> unsigned int addr;
> unsigned long dtb_addr;
> @@ -140,13 +140,10 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
> die("Can't specify --ramdisk or --initrd with --reuseinitrd\n");
>
> command_line_len = 0;
> - if (command_line) {
> - command_line_len = strlen(command_line) + 1;
> - } else {
> + if (!command_line)
> command_line = get_command_line();
> - command_line_len = strlen(command_line) + 1;
> - }
>
> + command_line_len = strlen(command_line);
> fixup_nodes[cur_fixup] = NULL;
>
> /*
> @@ -179,25 +176,27 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
> if (info->kexec_flags & KEXEC_ON_CRASH) {
> crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
> memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
> - } else
> - crash_cmdline = NULL;
> -
> - if (info->kexec_flags & KEXEC_ON_CRASH) {
> ret = load_crashdump_segments(info, crash_cmdline,
> max_addr, 0);
> - if (ret < 0) {
> + if (ret < 0)
> return -1;
> - }
> + crash_cmdline_len = strlen(crash_cmdline);
> + } else {
> + crash_cmdline = NULL;
> + crash_cmdline_len = 0;
> + }
> +
> + if (command_line_len + crash_cmdline_len + 1 > COMMAND_LINE_SIZE) {
> + printf("Command line buffer overflow \n");
> + return -1;
> }
>
> cmdline_buf = xmalloc(COMMAND_LINE_SIZE);
> memset((void *)cmdline_buf, 0, COMMAND_LINE_SIZE);
> if (command_line)
> - strncat(cmdline_buf, command_line, command_line_len);
> + strcpy(cmdline_buf, command_line);
> if (crash_cmdline)
> - strncat(cmdline_buf, crash_cmdline,
> - sizeof(crash_cmdline) -
> - strlen(crash_cmdline) - 1);
> + strncat(cmdline_buf, crash_cmdline, crash_cmdline_len);
>
> elf_rel_build_load(info, &info->rhdr, (const char *)purgatory,
> purgatory_size, 0, -1, -1, 0);
>
>
> _______________________________________________
> kexec mailing list
> kexec@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2013-04-02 10:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-02 8:03 [PATCH] kexec/powerpc: Handle buffer overflow in kernel command line Suzuki K. Poulose
2013-04-02 10:58 ` Zhang Yanfei [this message]
2013-04-02 12:13 ` [UPDATED PATCH] " Suzuki K. Poulose
2013-04-16 6:17 ` Suzuki K. Poulose
2013-04-16 6:37 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=515AB9BF.5080104@gmail.com \
--to=zhangyanfei.yes@gmail.com \
--cc=horms@verge.net.au \
--cc=kexec@lists.infradead.org \
--cc=suzuki@in.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.