[PATCH v2] x86/boot: Reject overlong acpi_rsdp= values

[PATCH v2] x86/boot: Reject overlong acpi_rsdp= values

[Thorsten Blum]

cmdline_find_option() returns the full length of the acpi_rsdp= value
even if it is truncated. However, get_cmdline_acpi_rsdp() only checks
whether acpi_rsdp= is present and does not reject overlong values that
do not fit in the buffer.

Reject overlong values and warn to prevent boot_kstrtoul() from parsing
a truncated value and thus from silently using the wrong RSDP address.

Fixes: 3c98e71b42a7 ("x86/boot: Add "acpi_rsdp=" early parsing")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
Changes in v2:
- Warn on overlong acpi_rsdp= values (Boris)
- v1: https://lore.kernel.org/r/20260617130417.36651-4-thorsten.blum@linux.dev/
---
 arch/x86/boot/compressed/acpi.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/x86/boot/compressed/acpi.c b/arch/x86/boot/compressed/acpi.c
index f196b1d1ddf8..baaad01d2074 100644
--- a/arch/x86/boot/compressed/acpi.c
+++ b/arch/x86/boot/compressed/acpi.c
@@ -184,10 +184,15 @@ static unsigned long get_cmdline_acpi_rsdp(void)
 	char val[MAX_ADDR_LEN] = { };
 	int ret;
 
-	ret = cmdline_find_option("acpi_rsdp", val, MAX_ADDR_LEN);
+	ret = cmdline_find_option("acpi_rsdp", val, sizeof(val));
 	if (ret < 0)
 		return 0;
 
+	if (ret >= sizeof(val)) {
+		warn("acpi_rsdp= value too long; ignoring\n");
+		return 0;
+	}
+
 	if (boot_kstrtoul(val, 16, &addr))
 		return 0;
 #endif