? 2013?04?16? 21:54, Simon Horman ??:
> On Tue, Apr 16, 2013 at 09:04:31PM +0800, Zhang Yanfei wrote:
>> Hi Simon,
>>
>> I found that you may apply the patch from Suzuki with a wrong commit
>> description by mistake. So I send this revert patch and resend the
>> patch in another mail with a subject:
>> "[PATCH RESEND] kexec/powerpc: Handle buffer overflow in kernel command line"
>>
>> Could you please apply the two patches?
>
> Sorry for my carelessness.
>
> I have removed the patch I applied earlier today, applied the
> one you posted after this one and forcibly pushed the result.
>
OK. Now it is ok.
Thanks
Zhang
>>
>> Thanks
>> Zhang
>>
>> ? 2013?04?16? 20:59, Zhang Yanfei ??:
>>> From: Zhang Yanfei <zhangyanfei at cn.fujitsu.com>
>>>
>>> This reverts commit d58dcae3e61b375578ff3145e627a5d85afb5f52.
>>>
>>> The commit description is kind of wrong and maybe caused by Simon
>>> when he applied the patch.
>>>
>>> Signed-off-by: Zhang Yanfei <zhangyanfei at cn.fujitsu.com>
>>> ---
>>> kexec/arch/ppc/kexec-elf-ppc.c | 29 +++++++++++++----------------
>>> kexec/arch/ppc/kexec-uImage-ppc.c | 23 +++++++++--------------
>>> 2 files changed, 22 insertions(+), 30 deletions(-)
>>>
>>> diff --git a/kexec/arch/ppc/kexec-elf-ppc.c b/kexec/arch/ppc/kexec-elf-ppc.c
>>> index 98cae9c..3daca2d 100644
>>> --- a/kexec/arch/ppc/kexec-elf-ppc.c
>>> +++ b/kexec/arch/ppc/kexec-elf-ppc.c
>>> @@ -157,7 +157,7 @@ int elf_ppc_load(int argc, char **argv, const char *buf, off_t len,
>>> struct mem_ehdr ehdr;
>>> char *command_line, *crash_cmdline, *cmdline_buf;
>>> char *tmp_cmdline;
>>> - int command_line_len, crash_cmdline_len;
>>> + int command_line_len;
>>> char *dtb;
>>> int result;
>>> char *error_msg;
>>> @@ -244,10 +244,19 @@ int elf_ppc_load(int argc, char **argv, const char *buf, off_t len,
>>> } else {
>>> command_line = get_command_line();
>>> }
>>> - command_line_len = strlen(command_line);
>>> + command_line_len = strlen(command_line) + 1;
>>>
>>> fixup_nodes[cur_fixup] = NULL;
>>>
>>> + /* Need to append some command line parameters internally in case of
>>> + * taking crash dumps.
>>> + */
>>> + if (info->kexec_flags & KEXEC_ON_CRASH) {
>>> + crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
>>> + memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
>>> + } else
>>> + crash_cmdline = NULL;
>>> +
>>> /* Parse the Elf file */
>>> result = build_elf_exec_info(buf, len, &ehdr, 0);
>>> if (result < 0) {
>>> @@ -283,23 +292,16 @@ int elf_ppc_load(int argc, char **argv, const char *buf, off_t len,
>>> goto out;
>>> }
>>>
>>> - /*
>>> - * Need to append some command line parameters internally in case of
>>> - * taking crash dumps. Additional segments need to be created.
>>> + /* If panic kernel is being loaded, additional segments need
>>> + * to be created.
>>> */
>>> if (info->kexec_flags & KEXEC_ON_CRASH) {
>>> - crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
>>> - memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
>>> result = load_crashdump_segments(info, crash_cmdline,
>>> max_addr, 0);
>>> if (result < 0) {
>>> result = -1;
>>> goto out;
>>> }
>>> - crash_cmdline_len = strlen(crash_cmdline);
>>> - } else {
>>> - crash_cmdline = NULL;
>>> - crash_cmdline_len = 0;
>>> }
>>>
>>> /*
>>> @@ -335,11 +337,6 @@ int elf_ppc_load(int argc, char **argv, const char *buf, off_t len,
>>>
>>> info->entry = (void *)arg_base;
>>> #else
>>> - if (crash_cmdline_len + command_line_len + 1 > COMMAND_LINE_SIZE) {
>>> - printf("Kernel command line exceeds size\n");
>>> - return -1;
>>> - }
>>> -
>>> cmdline_buf = xmalloc(COMMAND_LINE_SIZE);
>>> memset((void *)cmdline_buf, 0, COMMAND_LINE_SIZE);
>>> if (command_line)
>>> diff --git a/kexec/arch/ppc/kexec-uImage-ppc.c b/kexec/arch/ppc/kexec-uImage-ppc.c
>>> index 008463b..9113fbe 100644
>>> --- a/kexec/arch/ppc/kexec-uImage-ppc.c
>>> +++ b/kexec/arch/ppc/kexec-uImage-ppc.c
>>> @@ -82,7 +82,7 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
>>> {
>>> char *command_line, *cmdline_buf, *crash_cmdline;
>>> char *tmp_cmdline;
>>> - int command_line_len, crash_cmdline_len;
>>> + int command_line_len;
>>> char *dtb;
>>> unsigned int addr;
>>> unsigned long dtb_addr;
>>> @@ -178,34 +178,29 @@ static int ppc_load_bare_bits(int argc, char **argv, const char *buf,
>>>
>>> add_segment(info, buf, len, load_addr, len + _1MiB);
>>>
>>> -
>>> if (info->kexec_flags & KEXEC_ON_CRASH) {
>>> crash_cmdline = xmalloc(COMMAND_LINE_SIZE);
>>> memset((void *)crash_cmdline, 0, COMMAND_LINE_SIZE);
>>> + } else
>>> + crash_cmdline = NULL;
>>> +
>>> + if (info->kexec_flags & KEXEC_ON_CRASH) {
>>> ret = load_crashdump_segments(info, crash_cmdline,
>>> max_addr, 0);
>>> if (ret < 0) {
>>> ret = -1;
>>> goto out;
>>> }
>>> - crash_cmdline_len = strlen(crash_cmdline);
>>> - } else {
>>> - crash_cmdline = NULL;
>>> - crash_cmdline_len = 0;
>>> - }
>>> -
>>> - if (crash_cmdline_len + command_line_len + 1 > COMMAND_LINE_SIZE) {
>>> - printf("Kernel command line exceeds maximum possible length\n");
>>> - return -1;
>>> }
>>>
>>> cmdline_buf = xmalloc(COMMAND_LINE_SIZE);
>>> memset((void *)cmdline_buf, 0, COMMAND_LINE_SIZE);
>>> -
>>> if (command_line)
>>> - strcpy(cmdline_buf, command_line);
>>> + strncat(cmdline_buf, command_line, command_line_len);
>>> if (crash_cmdline)
>>> - strncat(cmdline_buf, crash_cmdline, crash_cmdline_len);
>>> + strncat(cmdline_buf, crash_cmdline,
>>> + sizeof(crash_cmdline) -
>>> + strlen(crash_cmdline) - 1);
>>>
>>> elf_rel_build_load(info, &info->rhdr, (const char *)purgatory,
>>> purgatory_size, 0, -1, -1, 0);
>>
