[PATCH] kho: make sure kho_scratch argument is fully consumed

[PATCH] kho: make sure kho_scratch argument is fully consumed

[Pratyush Yadav]

When specifying fixed sized scratch areas, the parser only parses the
three scratch sizes and ignores the rest of the argument. This means the
argument can have any bogus trailing characters.

For example, "kho_scratch=256M,512M,512Mfoobar" results in successful
parsing:

    [    0.000000] KHO: scratch areas: lowmem: 256MiB global: 512MiB pernode: 512MiB

It is generally a good idea to parse arguments as strictly as possible.
In addition, if bogus trailing characters are allowed in the kho_scratch
argument, it is possible that some people might end up using them and
later extensions to the argument format will cause unexpected breakages.

Make sure the argument is fully consumed after all three scratch sizes
are parsed. With this change, the bogus argument
"kho_scratch=256M,512M,512Mfoobar" results in:

    [    0.000000] Malformed early option 'kho_scratch'

Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
---
 kernel/kexec_handover.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/kexec_handover.c b/kernel/kexec_handover.c
index ecd1ac210dbd7..a90d55121a7a0 100644
--- a/kernel/kexec_handover.c
+++ b/kernel/kexec_handover.c
@@ -446,6 +446,10 @@ static int __init kho_parse_scratch_size(char *p)
 		p = endp;
 	}
 
+	/* The string should be fully consumed by now. */
+	if (*p)
+		return -EINVAL;
+
 	scratch_size_lowmem = sizes[0];
 	scratch_size_global = sizes[1];
 	scratch_size_pernode = sizes[2];
-- 
2.47.3

Re: [PATCH] kho: make sure kho_scratch argument is fully consumed

[Mike Rapoport]

On Tue, Aug 26, 2025 at 02:38:16PM +0200, Pratyush Yadav wrote:
> When specifying fixed sized scratch areas, the parser only parses the
> three scratch sizes and ignores the rest of the argument. This means the
> argument can have any bogus trailing characters.
> 
> For example, "kho_scratch=256M,512M,512Mfoobar" results in successful
> parsing:
> 
>     [    0.000000] KHO: scratch areas: lowmem: 256MiB global: 512MiB pernode: 512MiB
> 
> It is generally a good idea to parse arguments as strictly as possible.
> In addition, if bogus trailing characters are allowed in the kho_scratch
> argument, it is possible that some people might end up using them and
> later extensions to the argument format will cause unexpected breakages.
> 
> Make sure the argument is fully consumed after all three scratch sizes
> are parsed. With this change, the bogus argument
> "kho_scratch=256M,512M,512Mfoobar" results in:
> 
>     [    0.000000] Malformed early option 'kho_scratch'
> 
> Signed-off-by: Pratyush Yadav <pratyush@kernel.org>

Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>

> ---
>  kernel/kexec_handover.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/kernel/kexec_handover.c b/kernel/kexec_handover.c
> index ecd1ac210dbd7..a90d55121a7a0 100644
> --- a/kernel/kexec_handover.c
> +++ b/kernel/kexec_handover.c
> @@ -446,6 +446,10 @@ static int __init kho_parse_scratch_size(char *p)
>  		p = endp;
>  	}
>  
> +	/* The string should be fully consumed by now. */
> +	if (*p)
> +		return -EINVAL;
> +
>  	scratch_size_lowmem = sizes[0];
>  	scratch_size_global = sizes[1];
>  	scratch_size_pernode = sizes[2];
> -- 
> 2.47.3
> 

-- 
Sincerely yours,
Mike.