On Tue, Apr 16, 2013 at 09:04:31PM +0800, Zhang Yanfei wrote:
> Hi Simon,
>
> I found that you may apply the patch from Suzuki with a wrong commit
> description by mistake. So I send this revert patch and resend the
> patch in another mail with a subject:
> "[PATCH RESEND] kexec/powerpc: Handle buffer overflow in kernel command line"
>
> Could you please apply the two patches?
Sorry for my carelessness.
I have removed the patch I applied earlier today, applied the
one you posted after this one and forcibly pushed the result.
>
> Thanks
> Zhang
>
> ? 2013?04?16? 20:59, Zhang Yanfei ??:
> > From: Zhang Yanfei <zhangyanfei at cn.fujitsu.com>
> >
> > This reverts commit d58dcae3e61b375578ff3145e627a5d85afb5f52.
> >
> > The commit description is kind of wrong and maybe caused by Simon
> > when he applied the patch.
> >
> > Signed-off-by: Zhang Yanfei <zhangyanfei at cn.fujitsu.com>
> > ---
> > kexec/arch/ppc/kexec-elf-ppc.c | 29 +++++++++++++----------------
> > kexec/arch/ppc/kexec-uImage-ppc.c | 23 +++++++++--------------
> > 2 files changed, 22 insertions(+), 30 deletions(-)
> >
> > diff --git a/kexec/arch/ppc/kexec-elf-ppc.c b/kexec/arch/ppc/kexec-elf-ppc.c
> > index 98cae9c..3daca2d 100644
> > --- a/kexec/arch/ppc/kexec-elf-ppc.c
> > +++ b/kexec/arch/ppc/kexec-elf-ppc.c
> > @@ -157,7 +157,7 @@ int elf_ppc_load(int argc, char **argv, const char *buf, off_t len,
> > struct mem_ehdr ehdr;
> > char *command_line, *crash_cmdline, *cmdline_buf;
> > char *tmp_cmdline;
> > - int command_line_len, crash_cmdline_len;
> > + int command_line_len;
> > char *dtb;
> > int result;
> > char *error_msg;
> > @@ -244,10 +244,19 @@ int elf_ppc_load(int argc, char **argv, const char *buf, off_t len,
> > } else {
> > command_line = get_command_line();
> > }
> > - command_line_len = strlen(command_line);
> > + command_line_len = strlen(command_line) + 1;
> >
> > fixup_nodes[cur_fixup] = NULL;
> >
> > + /* Need to append some command line parameters internally in case of
> > + * taking crash dumps.
> > + */
> > + if (info->kexec_flags & KEXEC_ON_CRASH) {
> > + crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
> > + memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
> > + } else
> > + crash_cmdline = NULL;
> > +
> > /* Parse the Elf file */
> > result = build_elf_exec_info(buf, len, &ehdr, 0);
> > if (result < 0) {
> > @@ -283,23 +292,16 @@ int elf_ppc_load(int argc, char **argv, const char *buf, off_t len,
> > goto out;
> > }
> >
> > - /*
> > - * Need to append some command line parameters internally in case of
> > - * taking crash dumps. Additional segments need to be created.
> > + /* If panic kernel is being loaded, additional segments need
> > + * to be created.
> > */
> > if (info->kexec_flags & KEXEC_ON_CRASH) {
> > - crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
> > - memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
> > result = load_crashdump_segments(info, crash_cmdline,
> > max_addr, 0);
> > if (result < 0) {
> > result = -1;
> > goto out;
> > }
> > - crash_cmdline_len = strlen(crash_cmdline);
> > - } else {
> > - crash_cmdline = NULL;
> > - crash_cmdline_len = 0;
> > }
> >
> > /*
> > @@ -335,11 +337,6 @@ int elf_ppc_load(int argc, char **argv, const char *buf, off_t len,
> >
> > info->entry = (void *)arg_base;
> > #else
> > - if (crash_cmdline_len + command_line_len + 1 > COMMAND_LINE_SIZE) {
> > - printf("Kernel command line exceeds size\n");
> > - return -1;
> > - }
> > -
> > cmdline_buf = xmalloc(COMMAND_LINE_SIZE);
> > memset((void *)cmdline_buf, 0, COMMAND_LINE_SIZE);
> > if (command_line)
> > diff --git a/kexec/arch/ppc/kexec-uImage-ppc.c b/kexec/arch/ppc/kexec-uImage-ppc.c
> > index 008463b..9113fbe 100644
> > --- a/kexec/arch/ppc/kexec-uImage-ppc.c
> > +++ b/kexec/arch/ppc/kexec-uImage-ppc.c
> > @@ -82,7 +82,7 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
> > {
> > char *command_line, *cmdline_buf, *crash_cmdline;
> > char *tmp_cmdline;
> > - int command_line_len, crash_cmdline_len;
> > + int command_line_len;
> > char *dtb;
> > unsigned int addr;
> > unsigned long dtb_addr;
> > @@ -178,34 +178,29 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
> >
> > add_segment(info, buf, len, load_addr, len + _1MiB);
> >
> > -
> > if (info->kexec_flags & KEXEC_ON_CRASH) {
> > crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
> > memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
> > + } else
> > + crash_cmdline = NULL;
> > +
> > + if (info->kexec_flags & KEXEC_ON_CRASH) {
> > ret = load_crashdump_segments(info, crash_cmdline,
> > max_addr, 0);
> > if (ret < 0) {
> > ret = -1;
> > goto out;
> > }
> > - crash_cmdline_len = strlen(crash_cmdline);
> > - } else {
> > - crash_cmdline = NULL;
> > - crash_cmdline_len = 0;
> > - }
> > -
> > - if (crash_cmdline_len + command_line_len + 1 > COMMAND_LINE_SIZE) {
> > - printf("Kernel command line exceeds maximum possible length\n");
> > - return -1;
> > }
> >
> > cmdline_buf = xmalloc(COMMAND_LINE_SIZE);
> > memset((void *)cmdline_buf, 0, COMMAND_LINE_SIZE);
> > -
> > if (command_line)
> > - strcpy(cmdline_buf, command_line);
> > + strncat(cmdline_buf, command_line, command_line_len);
> > if (crash_cmdline)
> > - strncat(cmdline_buf, crash_cmdline, crash_cmdline_len);
> > + strncat(cmdline_buf, crash_cmdline,
> > + sizeof(crash_cmdline) -
> > + strlen(crash_cmdline) - 1);
> >
> > elf_rel_build_load(info, &info->rhdr, (const char *)purgatory,
> > purgatory_size, 0, -1, -1, 0);
>
