[PATCH] MIPS: validate DT bootargs before appending them

[PATCH] MIPS: validate DT bootargs before appending them

[Pengpeng Hou]

bootcmdline_scan_chosen() fetches the raw flat-DT bootargs property and
passes it straight to bootcmdline_append(). That helper later feeds the
same pointer into strlcat(), which computes strlen(src) before copying.
Flat DT properties are external boot input, and this path does not
prove that bootargs is NUL-terminated within its declared bounds.

Reject unterminated bootargs properties before appending them to the
kernel command line.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 arch/mips/kernel/setup.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c
index f9b228e33f3b..dd7915110820 100644
--- a/arch/mips/kernel/setup.c
+++ b/arch/mips/kernel/setup.c
@@ -31,6 +31,7 @@
 #include <linux/of_fdt.h>
 #include <linux/dmi.h>
 #include <linux/crash_dump.h>
+#include <linux/string.h>
 
 #include <asm/addrspace.h>
 #include <asm/bootinfo.h>
@@ -541,6 +542,9 @@ static int __init bootcmdline_scan_chosen(unsigned long node, const char *uname,
 
 	p = of_get_flat_dt_prop(node, "bootargs", &l);
 	if (p != NULL && l > 0) {
+		if (!memchr(p, '\0', l))
+			return 1;
+
 		bootcmdline_append(p, min(l, COMMAND_LINE_SIZE));
 		*dt_bootargs = true;
 	}
-- 
2.50.1 (Apple Git-155)

Re: [PATCH] MIPS: validate DT bootargs before appending them

[Sergey Shtylyov]

On 4/3/26 8:41 AM, Pengpeng Hou wrote:

> bootcmdline_scan_chosen() fetches the raw flat-DT bootargs property and
> passes it straight to bootcmdline_append(). That helper later feeds the
> same pointer into strlcat(), which computes strlen(src) before copying.
> Flat DT properties are external boot input, and this path does not
> prove that bootargs is NUL-terminated within its declared bounds.
> 
> Reject unterminated bootargs properties before appending them to the
> kernel command line.
> 
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
>  arch/mips/kernel/setup.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c
> index f9b228e33f3b..dd7915110820 100644
> --- a/arch/mips/kernel/setup.c
> +++ b/arch/mips/kernel/setup.c
[...]
> @@ -541,6 +542,9 @@ static int __init bootcmdline_scan_chosen(unsigned long node, const char *uname,
>  
>  	p = of_get_flat_dt_prop(node, "bootargs", &l);
>  	if (p != NULL && l > 0) {
> +		if (!memchr(p, '\0', l))

   Maybe strnlen()?

[...]

MBR, Sergey

[PATCH v2] MIPS: validate DT bootargs before appending them

[Pengpeng Hou]

bootcmdline_scan_chosen() fetches the raw flat-DT bootargs property and
passes it straight to bootcmdline_append(). That helper later feeds the
same pointer into strlcat(), which computes strlen(src) before copying.
Flat DT properties are external boot input, and this path does not
prove that bootargs is NUL-terminated within its declared bounds.

Reject unterminated bootargs properties before appending them to the
kernel command line.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
Changes since v1:
- use strnlen() instead of memchr() for the local NUL-termination check

arch/mips/kernel/setup.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c
index f9b228e33f3b..1ae6d0c0e1d6 100644
--- a/arch/mips/kernel/setup.c
+++ b/arch/mips/kernel/setup.c
@@ -31,6 +31,7 @@
 #include <linux/of_fdt.h>
 #include <linux/dmi.h>
 #include <linux/crash_dump.h>
+#include <linux/string.h>
 
 #include <asm/addrspace.h>
 #include <asm/bootinfo.h>
@@ -541,6 +542,9 @@ static int __init bootcmdline_scan_chosen(unsigned long node, const char *uname,
 
 	p = of_get_flat_dt_prop(node, "bootargs", &l);
 	if (p != NULL && l > 0) {
+		if (strnlen(p, l) >= l)
+			return 1;
+
 		bootcmdline_append(p, min(l, COMMAND_LINE_SIZE));
 		*dt_bootargs = true;
 	}
-- 
2.50.1 (Apple Git-155)

Re: [PATCH v2] MIPS: validate DT bootargs before appending them

[Thomas Bogendoerfer]

On Tue, Apr 07, 2026 at 09:57:03AM +0800, Pengpeng Hou wrote:
> bootcmdline_scan_chosen() fetches the raw flat-DT bootargs property and
> passes it straight to bootcmdline_append(). That helper later feeds the
> same pointer into strlcat(), which computes strlen(src) before copying.
> Flat DT properties are external boot input, and this path does not
> prove that bootargs is NUL-terminated within its declared bounds.
> 
> Reject unterminated bootargs properties before appending them to the
> kernel command line.
> 
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
> Changes since v1:
> - use strnlen() instead of memchr() for the local NUL-termination check
> 
> arch/mips/kernel/setup.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c
> index f9b228e33f3b..1ae6d0c0e1d6 100644
> --- a/arch/mips/kernel/setup.c
> +++ b/arch/mips/kernel/setup.c
> @@ -31,6 +31,7 @@
>  #include <linux/of_fdt.h>
>  #include <linux/dmi.h>
>  #include <linux/crash_dump.h>
> +#include <linux/string.h>
>  
>  #include <asm/addrspace.h>
>  #include <asm/bootinfo.h>
> @@ -541,6 +542,9 @@ static int __init bootcmdline_scan_chosen(unsigned long node, const char *uname,
>  
>  	p = of_get_flat_dt_prop(node, "bootargs", &l);
>  	if (p != NULL && l > 0) {
> +		if (strnlen(p, l) >= l)
> +			return 1;
> +
>  		bootcmdline_append(p, min(l, COMMAND_LINE_SIZE));
>  		*dt_bootargs = true;
>  	}
> -- 
> 2.50.1 (Apple Git-155)

applied to mips-next

Thomas.

-- 
Crap can work. Given enough thrust pigs will fly, but it's not necessarily a
good idea.                                                [ RFC1925, 2.3 ]

Re: [PATCH] MIPS: validate DT bootargs before appending them

[Pengpeng Hou]

Hi Sergey,

Thanks, that makes sense.

I have folded the validation into a bounded strnlen() check before the
append, and will resend it in that form.

Thanks,
Pengpeng