Received: by 2002:ab2:1347:0:b0:1f4:ac9d:b246 with SMTP id g7csp466996lqg;
        Thu, 11 Apr 2024 08:09:37 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWZDekUSAIuCPolcijCe+wReLgKygbVGQfw7bEwFrsfc3zDZ3GWwl3m9/KI/KkSTapv+mgBUXeAIyGwDM3C66uVm/Wj/k/caF2HCaOfTA==
X-Google-Smtp-Source: AGHT+IFFzOWvEy/NCfTqK19+ZDbF1ciYv/5bea/wGtENQjrA6ZrcGXRE7sJv4jNnt5O4JAzes84w
X-Received: by 2002:a05:6122:3bd3:b0:4db:1b9d:c70a with SMTP id ft19-20020a0561223bd300b004db1b9dc70amr137399vkb.0.1712848177066;
        Thu, 11 Apr 2024 08:09:37 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1712848177; cv=pass;
        d=google.com; s=arc-20160816;
        b=VdkNG/RDUoiKjDKgsdGsn6j7gxLL2R2uJtXRZ0BxnxEQLRaJoFuhSAzhJXlRE8Zp9t
         xCnSDdsb+GlRrnGtSy2WnDIkqSx6clvWoxwUYVJdrErFFrQBsmFm0reAyowmbXFCCcDn
         C8T8CUvDUVhYnra0rh6u5YOvCJx+orravh10toi+RCG+P7jgYeP8y1xP/cIPj+n7yTHk
         iotXc7QpIYBfxuAH7CSa4vynVP4cc+LvWRYEW2w7Za28a4iWltOfmTnVj6DZrvqYiQ+E
         GOvgUjMr5aFRmCoSoNSDLOY2yCdAED6OlprgslJUmAZKzS52SuXKWMCatkzZdot9O17/
         VI1g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :subject:cc:to:from:date:dkim-signature;
        bh=UKaQWvEMNPrfDul2aAj5hhyiDbw+sMDbDUpY6zlKFaA=;
        fh=uM0AMg/AIAnz4OC7v2JFDh8Ohpxg9QXVkWH0Ktz14UI=;
        b=LT4DXDFDt+ves1jT/+FKlXV8JKAwjIh/hpCRwCpxnMiHhmvuDrFqSJJXRNCo49R8wc
         uL/17kNhiuWfNwqpqv44/suffm0YQuSISD0VDbRJNA+R74MQlJyuF1MxXdXI8P0aBEbX
         tXwy2LPmPDJxiiYFKFS4+DgYFT7f1k9HrIVwx4ruxIQxQwdfkIIeyKKSe6ZApSPyHsxO
         07w+On0z4WKe94UdlY79p/RQHDEsk6pJBAG+M3zWsmskWbphc7zk8MDG2p6USXFHpySh
         5Q9eGA71Xjka39E507sw+6LsFAFjghBoylqHe3lZu2imw23wHYy/rXP+/L9Jtnaj4Foj
         Sd1A==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=bbOhPmBV;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-140721-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-140721-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-140721-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id fp18-20020a0561223a1200b004da9c933cdesi227776vkb.36.2024.04.11.08.09.36
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 11 Apr 2024 08:09:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-140721-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=bbOhPmBV;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-140721-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-140721-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 413BD1C21EE5
	for <linux.lists.archive@gmail.com>; Thu, 11 Apr 2024 15:09:11 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 0E51813FFC;
	Thu, 11 Apr 2024 15:09:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="bbOhPmBV"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 372BF134A6
	for <linux-kernel@vger.kernel.org>; Thu, 11 Apr 2024 15:09:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712848145; cv=none; b=YRi4U4ZeacJJwUUwU14cOr/3qQKSumqTFO61uYWninB2c/WwH9nckfS2b30TPjFyMxp5d5GE4UFtGHSgB3JFuOuCXww6me8qlKKKhsA0e3c6tb5o9fZ7BH+Qqw9UQax0HT3D/bZDl0+rAEreJrfqlgI35tNyWPvOZ27PZW2hQec=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712848145; c=relaxed/simple;
	bh=RVORxIAI43gTiQrKWQVAC9zIU4DsuLvhV4Kx4jfwHSw=;
	h=Date:From:To:Cc:Subject:Message-Id:In-Reply-To:References:
	 Mime-Version:Content-Type; b=T1gesl46Riu24ni4dz4S1RKT3+rCnrdpXWcOyKk6MKno8cfxC3U12v+zt9kNKeJnpmtzsywUKXEUGsdXF2zHQFb6JlXm0JYc8w30eabOaOq7fmIuUVZlUBKnSCZ4X4IjAZBuDtcSmdSp4BBphvFEOesiZFYJmJmEOzxZkkzlAiE=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=bbOhPmBV; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A6C0BC072AA;
	Thu, 11 Apr 2024 15:09:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1712848143;
	bh=RVORxIAI43gTiQrKWQVAC9zIU4DsuLvhV4Kx4jfwHSw=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=bbOhPmBVluMbGNnFm8dJm3MaHLuHVNTGgV/zUSV2cpGCbxTpfRjSsBGx6gGA0IeXx
	 tFAPlcA+ttz0wTaV/RGNrVwCF7PXnxVjTm5zY2WBTKdggeJffZtOaWITxtnC2nHd+6
	 Z+z2GhSO3q6QjN94f6cizbSOUu32KIr5wIbgILBhkSSzekyKjtpKl/z6qXOE7XAY7e
	 VXlrA0prld3mRQbVn7UQVvlz3LY+aOm0CgrOkUGBPw7Zpo3hEmSe15IWtjO6naGiKK
	 b0Y8UmBPqp4+/CaLYFRLNWr+YcpAePnVnUW/LYaDkQNIBoGb+eD9h+cD+Cw2Hzcnnm
	 Qt9tAh4qFwKag==
Date: Fri, 12 Apr 2024 00:08:58 +0900
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
To: Yuntao Wang <ytcoode@gmail.com>
Cc: rppt@kernel.org, akpm@linux-foundation.org, arnd@arndb.de,
 christophe.leroy@csgroup.eu, geert@linux-m68k.org, jpoimboe@kernel.org,
 kjlx@templeofstupid.com, linux-kernel@vger.kernel.org, mhiramat@kernel.org,
 ndesaulniers@google.com, peterz@infradead.org, tglx@linutronix.de,
 tj@kernel.org
Subject: Re: [PATCH] init/main.c: Fix potential static_command_line memory
 overflow
Message-Id: <20240412000858.7d81a7b946af172e6aed554d@kernel.org>
In-Reply-To: <20240411142735.245515-1-ytcoode@gmail.com>
References: <Zhfj4T1-u354E_KP@kernel.org>
	<20240411142735.245515-1-ytcoode@gmail.com>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On Thu, 11 Apr 2024 22:27:23 +0800
Yuntao Wang <ytcoode@gmail.com> wrote:

> On Thu, 11 Apr 2024 16:21:37 +0300, Mike Rapoport <rppt@kernel.org> wrote:
> > On Thu, Apr 11, 2024 at 09:23:47AM +0200, Geert Uytterhoeven wrote:
> > > CC Hiramatsu-san
> > > 
> > > On Thu, Apr 11, 2024 at 5:25 AM Yuntao Wang <ytcoode@gmail.com> wrote:
> > > > We allocate memory of size 'xlen + strlen(boot_command_line) + 1' for
> > > > static_command_line, but the strings copied into static_command_line are
> > > > extra_command_line and command_line, rather than extra_command_line and
> > > > boot_command_line.
> > > >
> > > > When strlen(command_line) > strlen(boot_command_line), static_command_line
> > > > will overflow.
> > 
> > Can this ever happen? 
> > Did you observe the overflow or is this a theoretical bug?
> 
> I didn't observe the overflow, it's just a theoretical bug.
> 
> > > > Fixes: f5c7310ac73e ("init/main: add checks for the return value of memblock_alloc*()")
> > 
> > f5c7310ac73e didn't have the logic for calculating allocation size, we
> > surely don't want to go back that far wiht Fixes.
> 
> Before commit f5c7310ac73e, the memory size allocated for static_command_line
> was 'strlen(command_line) + 1', but commit f5c7310ac73e changed this size
> to 'strlen(boot_command_line) + 1'. I think this should be wrong.

Ah, OK. that sounds reasonable. 

> 
> > > > Signed-off-by: Yuntao Wang <ytcoode@gmail.com>
> > > > ---
> > > >  init/main.c | 8 +++++---
> > > >  1 file changed, 5 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git a/init/main.c b/init/main.c
> > > > index 2ca52474d0c3..a7b1f5f3e3b6 100644
> > > > --- a/init/main.c
> > > > +++ b/init/main.c
> > > > @@ -625,11 +625,13 @@ static void __init setup_command_line(char *command_line)
> > > >         if (extra_init_args)
> > > >                 ilen = strlen(extra_init_args) + 4; /* for " -- " */
> > > >
> > > > -       len = xlen + strlen(boot_command_line) + 1;
> > > > +       len = xlen + strlen(boot_command_line) + ilen + 1;
> > > >
> > > > -       saved_command_line = memblock_alloc(len + ilen, SMP_CACHE_BYTES);
> > > > +       saved_command_line = memblock_alloc(len, SMP_CACHE_BYTES);
> > > >         if (!saved_command_line)
> > > > -               panic("%s: Failed to allocate %zu bytes\n", __func__, len + ilen);
> > > > +               panic("%s: Failed to allocate %zu bytes\n", __func__, len);
> > > > +
> > > > +       len = xlen + strlen(command_line) + 1;

Ah, I missed this line. Sorry. So this looks good to me but you don't need any
other lines, because those are not related to the bug you want to fix.
Please just focus on 1 fix.

Thank you,

> > > >
> > > >         static_command_line = memblock_alloc(len, SMP_CACHE_BYTES);
> > > >         if (!static_command_line)
> > > 
> > > Gr{oetje,eeting}s,
> > > 
> > >                         Geert
> > > 
> > > -- 
> > > Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
> > > 
> > > In personal conversations with technical people, I call myself a hacker. But
> > > when I'm talking to journalists I just say "programmer" or something like that.
> > >                                 -- Linus Torvalds
> > 
> > -- 
> > Sincerely yours,
> > Mike.


-- 
Masami Hiramatsu (Google) <mhiramat@kernel.org>