[PATCH] x86/boot: Reject truncated acpi_rsdp= values

[PATCH] x86/boot: Reject truncated acpi_rsdp= values

[Thorsten Blum]

cmdline_find_option() returns the full length of the argument value even
if it is truncated. However, get_cmdline_acpi_rsdp() only checks whether
acpi_rsdp= is present and does not reject truncated values that do not
fit in the buffer.

Reject truncated values early to prevent boot_kstrtoul() from parsing a
partial value and thus from silently using the wrong RSDP address.

Fixes: 3c98e71b42a7 ("x86/boot: Add "acpi_rsdp=" early parsing")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
 arch/x86/boot/compressed/acpi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/boot/compressed/acpi.c b/arch/x86/boot/compressed/acpi.c
index f196b1d1ddf8..1b5638a8e180 100644
--- a/arch/x86/boot/compressed/acpi.c
+++ b/arch/x86/boot/compressed/acpi.c
@@ -184,8 +184,8 @@ static unsigned long get_cmdline_acpi_rsdp(void)
 	char val[MAX_ADDR_LEN] = { };
 	int ret;
 
-	ret = cmdline_find_option("acpi_rsdp", val, MAX_ADDR_LEN);
-	if (ret < 0)
+	ret = cmdline_find_option("acpi_rsdp", val, sizeof(val));
+	if (ret < 0 || ret >= sizeof(val))
 		return 0;
 
 	if (boot_kstrtoul(val, 16, &addr))

Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values

[Borislav Petkov]

On Wed, Jun 17, 2026 at 03:04:18PM +0200, Thorsten Blum wrote:
> cmdline_find_option() returns the full length of the argument value even
> if it is truncated. However, get_cmdline_acpi_rsdp() only checks whether
> acpi_rsdp= is present and does not reject truncated values that do not
> fit in the buffer.
> 
> Reject truncated values early to prevent boot_kstrtoul() from parsing a
> partial value and thus from silently using the wrong RSDP address.

And?

If it uses the wrong address, it'll crash'n'burn later. As it should be.

Or are we protecting people from shooting themselves in foot now too?

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values

[Thorsten Blum]

On Wed, Jun 17, 2026 at 09:54:00PM -0700, Borislav Petkov wrote:
> On Wed, Jun 17, 2026 at 03:04:18PM +0200, Thorsten Blum wrote:
> > cmdline_find_option() returns the full length of the argument value even
> > if it is truncated. However, get_cmdline_acpi_rsdp() only checks whether
> > acpi_rsdp= is present and does not reject truncated values that do not
> > fit in the buffer.
> > 
> > Reject truncated values early to prevent boot_kstrtoul() from parsing a
> > partial value and thus from silently using the wrong RSDP address.
> 
> And?
> 
> If it uses the wrong address, it'll crash'n'burn later. As it should be.

The problem is that we don't necessarily use the user-supplied address.

get_cmdline_acpi_rsdp() can truncate it into a different, parseable
address and use that instead. That might not crash at all.

We already return 0 and fail gracefully when boot_kstrtoul() cannot
parse the value; this does the same when cmdline_find_option() reports
the value was truncated because it didn't fit the buffer.

Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values

[Borislav Petkov]

On Thu, Jun 18, 2026 at 05:03:46PM +0200, Thorsten Blum wrote:
> get_cmdline_acpi_rsdp() can truncate it into a different, parseable
> address and use that instead.

How?

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette