Re: [PATCH] Revert "kexec/powerpc: Handle buffer overflow in kernel command line"

[Zhang Yanfei <zhangyanfei.yes@gmail.com>]

于 2013年04月16日 21:54, Simon Horman 写道:
> On Tue, Apr 16, 2013 at 09:04:31PM +0800, Zhang Yanfei wrote:
>> Hi Simon,
>>
>> I found that you may apply the patch from Suzuki with a wrong commit
>> description by mistake. So I send this revert patch and resend the
>> patch in another mail with a subject:
>>     "[PATCH RESEND] kexec/powerpc: Handle buffer overflow in kernel command line"
>>
>> Could you please apply the two patches?
> 
> Sorry for my carelessness.
> 
> I have removed the patch I applied earlier today, applied the
> one you posted after this one and forcibly pushed the result.
> 

OK. Now it is ok.

Thanks
Zhang

>>
>> Thanks
>> Zhang
>>
>> 于 2013年04月16日 20:59, Zhang Yanfei 写道:
>>> From: Zhang Yanfei <zhangyanfei@cn.fujitsu.com>
>>>
>>> This reverts commit d58dcae3e61b375578ff3145e627a5d85afb5f52.
>>>
>>> The commit description is kind of wrong and maybe caused by Simon
>>> when he applied the patch.
>>>
>>> Signed-off-by: Zhang Yanfei <zhangyanfei@cn.fujitsu.com>
>>> ---
>>>  kexec/arch/ppc/kexec-elf-ppc.c    |   29 +++++++++++++----------------
>>>  kexec/arch/ppc/kexec-uImage-ppc.c |   23 +++++++++--------------
>>>  2 files changed, 22 insertions(+), 30 deletions(-)
>>>
>>> diff --git a/kexec/arch/ppc/kexec-elf-ppc.c b/kexec/arch/ppc/kexec-elf-ppc.c
>>> index 98cae9c..3daca2d 100644
>>> --- a/kexec/arch/ppc/kexec-elf-ppc.c
>>> +++ b/kexec/arch/ppc/kexec-elf-ppc.c
>>> @@ -157,7 +157,7 @@ int elf_ppc_load(int argc, char **argv,	const char *buf, off_t len,
>>>  	struct mem_ehdr ehdr;
>>>  	char *command_line, *crash_cmdline, *cmdline_buf;
>>>  	char *tmp_cmdline;
>>> -	int command_line_len, crash_cmdline_len;
>>> +	int command_line_len;
>>>  	char *dtb;
>>>  	int result;
>>>  	char *error_msg;
>>> @@ -244,10 +244,19 @@ int elf_ppc_load(int argc, char **argv,	const char *buf, off_t len,
>>>  	} else {
>>>  		command_line = get_command_line();
>>>  	}
>>> -	command_line_len = strlen(command_line);
>>> +	command_line_len = strlen(command_line) + 1;
>>>  
>>>  	fixup_nodes[cur_fixup] = NULL;
>>>  
>>> +	/* Need to append some command line parameters internally in case of
>>> +	 * taking crash dumps.
>>> +	 */
>>> +	if (info->kexec_flags & KEXEC_ON_CRASH) {
>>> +		crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
>>> +		memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
>>> +	} else
>>> +		crash_cmdline = NULL;
>>> +
>>>  	/* Parse the Elf file */
>>>  	result = build_elf_exec_info(buf, len, &ehdr, 0);
>>>  	if (result < 0) {
>>> @@ -283,23 +292,16 @@ int elf_ppc_load(int argc, char **argv,	const char *buf, off_t len,
>>>  		goto out;
>>>  	}
>>>  
>>> -	/*
>>> -	 * Need to append some command line parameters internally in case of
>>> -	 * taking crash dumps. Additional segments need to be created.
>>> +	/* If panic kernel is being loaded, additional segments need
>>> +	 * to be created.
>>>  	 */
>>>  	if (info->kexec_flags & KEXEC_ON_CRASH) {
>>> -		crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
>>> -		memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
>>>  		result = load_crashdump_segments(info, crash_cmdline,
>>>  						max_addr, 0);
>>>  		if (result < 0) {
>>>  			result = -1;
>>>  			goto out;
>>>  		}
>>> -		crash_cmdline_len = strlen(crash_cmdline);
>>> -	} else {
>>> -		crash_cmdline = NULL;
>>> -		crash_cmdline_len = 0;
>>>  	}
>>>  
>>>  	/*
>>> @@ -335,11 +337,6 @@ int elf_ppc_load(int argc, char **argv,	const char *buf, off_t len,
>>>  
>>>  	info->entry = (void *)arg_base;
>>>  #else
>>> -	if (crash_cmdline_len + command_line_len + 1 > COMMAND_LINE_SIZE) {
>>> -		printf("Kernel command line exceeds size\n");
>>> -		return -1;
>>> -	}
>>> -
>>>  	cmdline_buf = xmalloc(COMMAND_LINE_SIZE);
>>>  	memset((void *)cmdline_buf, 0, COMMAND_LINE_SIZE);
>>>  	if (command_line)
>>> diff --git a/kexec/arch/ppc/kexec-uImage-ppc.c b/kexec/arch/ppc/kexec-uImage-ppc.c
>>> index 008463b..9113fbe 100644
>>> --- a/kexec/arch/ppc/kexec-uImage-ppc.c
>>> +++ b/kexec/arch/ppc/kexec-uImage-ppc.c
>>> @@ -82,7 +82,7 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
>>>  {
>>>  	char *command_line, *cmdline_buf, *crash_cmdline;
>>>  	char *tmp_cmdline;
>>> -	int command_line_len, crash_cmdline_len;
>>> +	int command_line_len;
>>>  	char *dtb;
>>>  	unsigned int addr;
>>>  	unsigned long dtb_addr;
>>> @@ -178,34 +178,29 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
>>>  
>>>  	add_segment(info, buf, len, load_addr, len + _1MiB);
>>>  
>>> -
>>>  	if (info->kexec_flags & KEXEC_ON_CRASH) {
>>>                  crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
>>>                  memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
>>> +        } else
>>> +                crash_cmdline = NULL;
>>> +
>>> +	if (info->kexec_flags & KEXEC_ON_CRASH) {
>>>  		ret = load_crashdump_segments(info, crash_cmdline,
>>>  						max_addr, 0);
>>>  		if (ret < 0) {
>>>  			ret = -1;
>>>  			goto out;
>>>  		}
>>> -		crash_cmdline_len = strlen(crash_cmdline);
>>> -	} else {
>>> -		crash_cmdline = NULL;
>>> -		crash_cmdline_len = 0;
>>> -	}
>>> -
>>> -	if (crash_cmdline_len + command_line_len + 1 > COMMAND_LINE_SIZE) {
>>> -		printf("Kernel command line exceeds maximum possible length\n");
>>> -		return -1;
>>>  	}
>>>  
>>>  	cmdline_buf = xmalloc(COMMAND_LINE_SIZE);
>>>  	memset((void *)cmdline_buf, 0, COMMAND_LINE_SIZE);
>>> -
>>>  	if (command_line)
>>> -		strcpy(cmdline_buf, command_line);
>>> +		strncat(cmdline_buf, command_line, command_line_len);
>>>  	if (crash_cmdline)
>>> -		strncat(cmdline_buf, crash_cmdline, crash_cmdline_len);
>>> +		strncat(cmdline_buf, crash_cmdline,
>>> +			sizeof(crash_cmdline) -
>>> +			strlen(crash_cmdline) - 1);
>>>  
>>>  	elf_rel_build_load(info, &info->rhdr, (const char *)purgatory,
>>>  				purgatory_size, 0, -1, -1, 0);
>>


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec