From: Zhang Yanfei <zhangyanfei.yes@gmail.com>
To: "Suzuki K. Poulose" <suzuki@in.ibm.com>
Cc: horms@verge.net.au, kexec@lists.infradead.org
Subject: Re: [PATCH] kexec/powerpc: Handle buffer overflow in kernel command line
Date: Tue, 02 Apr 2013 18:58:07 +0800 [thread overview]
Message-ID: <515AB9BF.5080104@gmail.com> (raw)
In-Reply-To: <20130402080307.16143.41901.stgit@suzukikp.in.ibm.com>
Hello Suzuki,
Conflicts occur when I tried to apply the patch to latest kexec-tools by
using git am.
Applying: kexec/powerpc: Handle buffer overflow in kernel command line
/data/kexec-tools/.git/rebase-apply/patch:79: trailing whitespace.
error: patch failed: kexec/arch/ppc/kexec-elf-ppc.c:156
error: kexec/arch/ppc/kexec-elf-ppc.c: patch does not apply
error: patch failed: kexec/arch/ppc/kexec-uImage-ppc.c:81
error: kexec/arch/ppc/kexec-uImage-ppc.c: patch does not apply
Patch failed at 0001 kexec/powerpc: Handle buffer overflow in kernel command line
When you have resolved this problem run "git am --resolved".
If you would prefer to skip this patch, instead run "git am --skip".
To restore the original branch and stop patching run "git am --abort".
Thanks
Zhang
于 2013年04月02日 16:03, Suzuki K. Poulose 写道:
> From: Suzuki K. Poulose <suzuki@in.ibm.com>
>
> Enforce size check for kernel command line to make sure it
> doesn't overflow COMMAND_LINE_SIZE.
>
> Reported-by: Nathan D. Miller <nathanm2@us.ibm.com>
> Signed-off-by: Suzuki K. Poulose <suzuki@in.ibm.com>
> ---
> kexec/arch/ppc/kexec-elf-ppc.c | 41 ++++++++++++++++++-------------------
> kexec/arch/ppc/kexec-uImage-ppc.c | 31 ++++++++++++++--------------
> 2 files changed, 35 insertions(+), 37 deletions(-)
>
> diff --git a/kexec/arch/ppc/kexec-elf-ppc.c b/kexec/arch/ppc/kexec-elf-ppc.c
> index 5f63a64..7ba8421 100644
> --- a/kexec/arch/ppc/kexec-elf-ppc.c
> +++ b/kexec/arch/ppc/kexec-elf-ppc.c
> @@ -156,7 +156,7 @@ int elf_ppc_load(int argc, char **argv, const char *buf, off_t len,
> {
> struct mem_ehdr ehdr;
> char *command_line, *crash_cmdline, *cmdline_buf;
> - int command_line_len;
> + int command_line_len, crash_cmdline_len;
> char *dtb;
> int result;
> unsigned long max_addr, hole_addr;
> @@ -233,27 +233,15 @@ int elf_ppc_load(int argc, char **argv, const char *buf, off_t len,
> }
>
> command_line_len = 0;
> - if (command_line) {
> - command_line_len = strlen(command_line) + 1;
> - } else {
> + if (!command_line)
> command_line = get_command_line();
> - command_line_len = strlen(command_line) + 1;
> - }
> + command_line_len = strlen(command_line);
>
> if (ramdisk && reuse_initrd)
> die("Can't specify --ramdisk or --initrd with --reuseinitrd\n");
>
> fixup_nodes[cur_fixup] = NULL;
>
> - /* Need to append some command line parameters internally in case of
> - * taking crash dumps.
> - */
> - if (info->kexec_flags & KEXEC_ON_CRASH) {
> - crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
> - memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
> - } else
> - crash_cmdline = NULL;
> -
> /* Parse the Elf file */
> result = build_elf_exec_info(buf, len, &ehdr, 0);
> if (result < 0) {
> @@ -291,26 +279,37 @@ int elf_ppc_load(int argc, char **argv, const char *buf, off_t len,
> return result;
> }
>
> - /* If panic kernel is being loaded, additional segments need
> - * to be created.
> + /*
> + * Need to append some command line parameters internally in case of
> + * taking crash dumps. Additional segments have to be loaded for panic
> + * kernel.
> */
> if (info->kexec_flags & KEXEC_ON_CRASH) {
> + crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
> + memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
> result = load_crashdump_segments(info, crash_cmdline,
> max_addr, 0);
> if (result < 0) {
> free(crash_cmdline);
> return -1;
> }
> + crash_cmdline_len = strlen(crash_cmdline);
> + } else {
> + crash_cmdline = NULL;
> + crash_cmdline_len = 0;
> }
>
> + if (crash_cmdline_len + command_line_len + 1 > COMMAND_LINE_SIZE) {
> + printf ("Command line buffer overflow\n");
> + return -1;
> + }
> +
> cmdline_buf = xmalloc(COMMAND_LINE_SIZE);
> memset((void *)cmdline_buf, 0, COMMAND_LINE_SIZE);
> if (command_line)
> - strncat(cmdline_buf, command_line, command_line_len);
> + strcpy(cmdline_buf, command_line);
> if (crash_cmdline)
> - strncat(cmdline_buf, crash_cmdline,
> - sizeof(crash_cmdline) -
> - strlen(crash_cmdline) - 1);
> + strncat(cmdline_buf, crash_cmdline, crash_cmdline_len);
>
> /*
> * In case of a toy we take the hardcoded things and an easy setup via
> diff --git a/kexec/arch/ppc/kexec-uImage-ppc.c b/kexec/arch/ppc/kexec-uImage-ppc.c
> index 900cd16..0c96bac 100644
> --- a/kexec/arch/ppc/kexec-uImage-ppc.c
> +++ b/kexec/arch/ppc/kexec-uImage-ppc.c
> @@ -81,7 +81,7 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
> unsigned int ep)
> {
> char *command_line, *cmdline_buf, *crash_cmdline;
> - int command_line_len;
> + int command_line_len, crash_cmdline_len;
> char *dtb;
> unsigned int addr;
> unsigned long dtb_addr;
> @@ -140,13 +140,10 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
> die("Can't specify --ramdisk or --initrd with --reuseinitrd\n");
>
> command_line_len = 0;
> - if (command_line) {
> - command_line_len = strlen(command_line) + 1;
> - } else {
> + if (!command_line)
> command_line = get_command_line();
> - command_line_len = strlen(command_line) + 1;
> - }
>
> + command_line_len = strlen(command_line);
> fixup_nodes[cur_fixup] = NULL;
>
> /*
> @@ -179,25 +176,27 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
> if (info->kexec_flags & KEXEC_ON_CRASH) {
> crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
> memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
> - } else
> - crash_cmdline = NULL;
> -
> - if (info->kexec_flags & KEXEC_ON_CRASH) {
> ret = load_crashdump_segments(info, crash_cmdline,
> max_addr, 0);
> - if (ret < 0) {
> + if (ret < 0)
> return -1;
> - }
> + crash_cmdline_len = strlen(crash_cmdline);
> + } else {
> + crash_cmdline = NULL;
> + crash_cmdline_len = 0;
> + }
> +
> + if (command_line_len + crash_cmdline_len + 1 > COMMAND_LINE_SIZE) {
> + printf("Command line buffer overflow \n");
> + return -1;
> }
>
> cmdline_buf = xmalloc(COMMAND_LINE_SIZE);
> memset((void *)cmdline_buf, 0, COMMAND_LINE_SIZE);
> if (command_line)
> - strncat(cmdline_buf, command_line, command_line_len);
> + strcpy(cmdline_buf, command_line);
> if (crash_cmdline)
> - strncat(cmdline_buf, crash_cmdline,
> - sizeof(crash_cmdline) -
> - strlen(crash_cmdline) - 1);
> + strncat(cmdline_buf, crash_cmdline, crash_cmdline_len);
>
> elf_rel_build_load(info, &info->rhdr, (const char *)purgatory,
> purgatory_size, 0, -1, -1, 0);
>
>
> _______________________________________________
> kexec mailing list
> kexec@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2013-04-02 10:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-02 8:03 [PATCH] kexec/powerpc: Handle buffer overflow in kernel command line Suzuki K. Poulose
2013-04-02 10:58 ` Zhang Yanfei [this message]
2013-04-02 12:13 ` [UPDATED PATCH] " Suzuki K. Poulose
2013-04-16 6:17 ` Suzuki K. Poulose
2013-04-16 6:37 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=515AB9BF.5080104@gmail.com \
--to=zhangyanfei.yes@gmail.com \
--cc=horms@verge.net.au \
--cc=kexec@lists.infradead.org \
--cc=suzuki@in.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox