From: Thorsten Blum <thorsten.blum@linux.dev>
To: Borislav Petkov <bp@alien8.de>
Cc: Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Chao Fan <fanc.fnst@cn.fujitsu.com>,
stable@vger.kernel.org, Borislav Petkov <bp@suse.de>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values
Date: Thu, 18 Jun 2026 20:57:56 +0200 [thread overview]
Message-ID: <ajQ_tNrz5hkS1MmB@linux.dev> (raw)
In-Reply-To: <20260618180412.GBajQzHB3Rj0SrS1Eo@fat_crate.local>
On Thu, Jun 18, 2026 at 11:04:12AM -0700, Borislav Petkov wrote:
> On Thu, Jun 18, 2026 at 07:59:09PM +0200, Thorsten Blum wrote:
> > On Thu, Jun 18, 2026 at 09:38:56AM -0700, Borislav Petkov wrote:
> > > On Thu, Jun 18, 2026 at 05:03:46PM +0200, Thorsten Blum wrote:
> > > > get_cmdline_acpi_rsdp() can truncate it into a different, parseable
> > > > address and use that instead.
> > >
> > > How?
> >
> > The buffer has 19 bytes to hold the "0x" prefix, 16 hex digits, and the
> > NUL terminator.
> >
> > cmdline_find_option() copies only bufsize - 1 bytes, but returns the
> > full argument length. So for example:
> >
> > acpi_rsdp=0x0123456789abcdefx
> >
> > gets copied as:
> >
> > 0x0123456789abcdef
> >
> > which boot_kstrtoul() parses successfully. The user supplied an invalid
> > value, but we silently use the truncated prefix as the RSDP address.
>
> My question stands:
>
> "Or are we protecting people from shooting themselves in foot now too?"
>
> Especially users who should know what they're doing...
>
> IOW, how far are we going to "protect" here?
Only far enough to avoid using a value the user didn't actually enter.
A user can still shoot themselves in the foot by using a syntactically
valid but wrong address. The check only rejects an overlong acpi_rsdp=
value after cmdline_find_option() reports that it didn't fit in the
buffer.
We already reject values that boot_kstrtoul() fails to parse; this is
the same idea: the copied string is incomplete and shouldn't be parsed.
Thanks,
Thorsten
next prev parent reply other threads:[~2026-06-18 18:58 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-17 13:04 [PATCH] x86/boot: Reject truncated acpi_rsdp= values Thorsten Blum
2026-06-18 4:54 ` Borislav Petkov
2026-06-18 15:03 ` Thorsten Blum
2026-06-18 16:38 ` Borislav Petkov
2026-06-18 17:59 ` Thorsten Blum
2026-06-18 18:04 ` Borislav Petkov
2026-06-18 18:57 ` Thorsten Blum [this message]
2026-06-18 19:34 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajQ_tNrz5hkS1MmB@linux.dev \
--to=thorsten.blum@linux.dev \
--cc=bp@alien8.de \
--cc=bp@suse.de \
--cc=dave.hansen@linux.intel.com \
--cc=fanc.fnst@cn.fujitsu.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tglx@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox