[PATCH] x86/boot: Reject truncated acpi_rsdp= values

[PATCH] x86/boot: Reject truncated acpi_rsdp= values

[Thorsten Blum]

cmdline_find_option() returns the full length of the argument value even
if it is truncated. However, get_cmdline_acpi_rsdp() only checks whether
acpi_rsdp= is present and does not reject truncated values that do not
fit in the buffer.

Reject truncated values early to prevent boot_kstrtoul() from parsing a
partial value and thus from silently using the wrong RSDP address.

Fixes: 3c98e71b42a7 ("x86/boot: Add "acpi_rsdp=" early parsing")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
 arch/x86/boot/compressed/acpi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/boot/compressed/acpi.c b/arch/x86/boot/compressed/acpi.c
index f196b1d1ddf8..1b5638a8e180 100644
--- a/arch/x86/boot/compressed/acpi.c
+++ b/arch/x86/boot/compressed/acpi.c
@@ -184,8 +184,8 @@ static unsigned long get_cmdline_acpi_rsdp(void)
 	char val[MAX_ADDR_LEN] = { };
 	int ret;
 
-	ret = cmdline_find_option("acpi_rsdp", val, MAX_ADDR_LEN);
-	if (ret < 0)
+	ret = cmdline_find_option("acpi_rsdp", val, sizeof(val));
+	if (ret < 0 || ret >= sizeof(val))
 		return 0;
 
 	if (boot_kstrtoul(val, 16, &addr))

Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values

[Borislav Petkov]

On Wed, Jun 17, 2026 at 03:04:18PM +0200, Thorsten Blum wrote:
> cmdline_find_option() returns the full length of the argument value even
> if it is truncated. However, get_cmdline_acpi_rsdp() only checks whether
> acpi_rsdp= is present and does not reject truncated values that do not
> fit in the buffer.
> 
> Reject truncated values early to prevent boot_kstrtoul() from parsing a
> partial value and thus from silently using the wrong RSDP address.

And?

If it uses the wrong address, it'll crash'n'burn later. As it should be.

Or are we protecting people from shooting themselves in foot now too?

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values

[Thorsten Blum]

On Wed, Jun 17, 2026 at 09:54:00PM -0700, Borislav Petkov wrote:
> On Wed, Jun 17, 2026 at 03:04:18PM +0200, Thorsten Blum wrote:
> > cmdline_find_option() returns the full length of the argument value even
> > if it is truncated. However, get_cmdline_acpi_rsdp() only checks whether
> > acpi_rsdp= is present and does not reject truncated values that do not
> > fit in the buffer.
> > 
> > Reject truncated values early to prevent boot_kstrtoul() from parsing a
> > partial value and thus from silently using the wrong RSDP address.
> 
> And?
> 
> If it uses the wrong address, it'll crash'n'burn later. As it should be.

The problem is that we don't necessarily use the user-supplied address.

get_cmdline_acpi_rsdp() can truncate it into a different, parseable
address and use that instead. That might not crash at all.

We already return 0 and fail gracefully when boot_kstrtoul() cannot
parse the value; this does the same when cmdline_find_option() reports
the value was truncated because it didn't fit the buffer.

Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values

[Borislav Petkov]

On Thu, Jun 18, 2026 at 05:03:46PM +0200, Thorsten Blum wrote:
> get_cmdline_acpi_rsdp() can truncate it into a different, parseable
> address and use that instead.

How?

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values

[Thorsten Blum]

On Thu, Jun 18, 2026 at 09:38:56AM -0700, Borislav Petkov wrote:
> On Thu, Jun 18, 2026 at 05:03:46PM +0200, Thorsten Blum wrote:
> > get_cmdline_acpi_rsdp() can truncate it into a different, parseable
> > address and use that instead.
> 
> How?

The buffer has 19 bytes to hold the "0x" prefix, 16 hex digits, and the
NUL terminator.

cmdline_find_option() copies only bufsize - 1 bytes, but returns the
full argument length. So for example:

	acpi_rsdp=0x0123456789abcdefx

gets copied as:

	0x0123456789abcdef

which boot_kstrtoul() parses successfully. The user supplied an invalid
value, but we silently use the truncated prefix as the RSDP address.

Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values

[Borislav Petkov]

On Thu, Jun 18, 2026 at 07:59:09PM +0200, Thorsten Blum wrote:
> On Thu, Jun 18, 2026 at 09:38:56AM -0700, Borislav Petkov wrote:
> > On Thu, Jun 18, 2026 at 05:03:46PM +0200, Thorsten Blum wrote:
> > > get_cmdline_acpi_rsdp() can truncate it into a different, parseable
> > > address and use that instead.
> > 
> > How?
> 
> The buffer has 19 bytes to hold the "0x" prefix, 16 hex digits, and the
> NUL terminator.
> 
> cmdline_find_option() copies only bufsize - 1 bytes, but returns the
> full argument length. So for example:
> 
> 	acpi_rsdp=0x0123456789abcdefx
> 
> gets copied as:
> 
> 	0x0123456789abcdef
> 
> which boot_kstrtoul() parses successfully. The user supplied an invalid
> value, but we silently use the truncated prefix as the RSDP address.

My question stands:

"Or are we protecting people from shooting themselves in foot now too?"

Especially users who should know what they're doing...

IOW, how far are we going to "protect" here?

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values

[Thorsten Blum]

On Thu, Jun 18, 2026 at 11:04:12AM -0700, Borislav Petkov wrote:
> On Thu, Jun 18, 2026 at 07:59:09PM +0200, Thorsten Blum wrote:
> > On Thu, Jun 18, 2026 at 09:38:56AM -0700, Borislav Petkov wrote:
> > > On Thu, Jun 18, 2026 at 05:03:46PM +0200, Thorsten Blum wrote:
> > > > get_cmdline_acpi_rsdp() can truncate it into a different, parseable
> > > > address and use that instead.
> > > 
> > > How?
> > 
> > The buffer has 19 bytes to hold the "0x" prefix, 16 hex digits, and the
> > NUL terminator.
> > 
> > cmdline_find_option() copies only bufsize - 1 bytes, but returns the
> > full argument length. So for example:
> > 
> > 	acpi_rsdp=0x0123456789abcdefx
> > 
> > gets copied as:
> > 
> > 	0x0123456789abcdef
> > 
> > which boot_kstrtoul() parses successfully. The user supplied an invalid
> > value, but we silently use the truncated prefix as the RSDP address.
> 
> My question stands:
> 
> "Or are we protecting people from shooting themselves in foot now too?"
> 
> Especially users who should know what they're doing...
> 
> IOW, how far are we going to "protect" here?

Only far enough to avoid using a value the user didn't actually enter.

A user can still shoot themselves in the foot by using a syntactically
valid but wrong address. The check only rejects an overlong acpi_rsdp=
value after cmdline_find_option() reports that it didn't fit in the
buffer.

We already reject values that boot_kstrtoul() fails to parse; this is
the same idea: the copied string is incomplete and shouldn't be parsed.

Thanks,
Thorsten

Re: [PATCH] x86/boot: Reject truncated acpi_rsdp= values

[Borislav Petkov]

On Thu, Jun 18, 2026 at 08:57:56PM +0200, Thorsten Blum wrote:
> Only far enough to avoid using a value the user didn't actually enter.

But the user did enter it.

And nothing in there tells her/him that they entered a wrong value. Only that
the value she entered magically turned into a 0.

So how is that helping said user fix the input?

And is there a real use case you're fixing here or is this something
hypothetical that *might* happen?

> A user can still shoot themselves in the foot by using a syntactically
> valid but wrong address. The check only rejects an overlong acpi_rsdp=
> value after cmdline_find_option() reports that it didn't fit in the
> buffer.

My question still stands paraphrazed: what *actual*, real use case are you
fixing here?

And how does your fix make anything better?

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette