Re: [PATCH] efi/libstub: Don't parse overlong command lines

Ard Biesheuvel <ardb@xxxxxxxxxx> · Fri, 22 May 2020 15:13:14 +0200

On Thu, 21 May 2020 at 02:29, Arvind Sankar <nivedita@xxxxxxxxxxxx> wrote:
>
> Check if the command line passed in is larger than COMMAND_LINE_SIZE,
> and truncate it to the last full argument if so.
>
> Signed-off-by: Arvind Sankar <nivedita@xxxxxxxxxxxx>

Queued up in efi/next, thanks.

> ---
>  .../firmware/efi/libstub/efi-stub-helper.c    | 28 +++++++++++++++----
>  1 file changed, 23 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
> index 2a6aded4f2a9..89f075275300 100644
> --- a/drivers/firmware/efi/libstub/efi-stub-helper.c
> +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
> @@ -9,10 +9,12 @@
>
>  #include <stdarg.h>
>
> +#include <linux/ctype.h>
>  #include <linux/efi.h>
>  #include <linux/kernel.h>
>  #include <linux/printk.h> /* For CONSOLE_LOGLEVEL_* */
>  #include <asm/efi.h>
> +#include <asm/setup.h>
>
>  #include "efistub.h"
>
> @@ -216,22 +218,33 @@ char *efi_convert_cmdline(efi_loaded_image_t *image, int *cmd_line_len)
>         unsigned long cmdline_addr = 0;
>         int options_chars = efi_table_attr(image, load_options_size) / 2;
>         const u16 *options = efi_table_attr(image, load_options);
> -       int options_bytes = 0;  /* UTF-8 bytes */
> +       int options_bytes = 0, safe_options_bytes = 0;  /* UTF-8 bytes */
> +       bool in_quote = false;
>         efi_status_t status;
>
>         if (options) {
>                 s2 = options;
> -               while (options_chars--) {
> +               while (options_bytes < COMMAND_LINE_SIZE && options_chars--) {
>                         u16 c = *s2++;
>
> -                       if (c == L'\0' || c == L'\n')
> -                               break;
> +                       if (c < 0x80) {
> +                               if (c == L'\0' || c == L'\n')
> +                                       break;
> +                               if (c == L'"')
> +                                       in_quote = !in_quote;
> +                               else if (!in_quote && isspace((char)c))
> +                                       safe_options_bytes = options_bytes;
> +
> +                               options_bytes++;
> +                               continue;
> +                       }
> +
>                         /*
>                          * Get the number of UTF-8 bytes corresponding to a
>                          * UTF-16 character.
>                          * The first part handles everything in the BMP.
>                          */
> -                       options_bytes += 1 + (c >= 0x80) + (c >= 0x800);
> +                       options_bytes += 2 + (c >= 0x800);
>                         /*
>                          * Add one more byte for valid surrogate pairs. Invalid
>                          * surrogates will be replaced with 0xfffd and take up
> @@ -252,6 +265,11 @@ char *efi_convert_cmdline(efi_loaded_image_t *image, int *cmd_line_len)
>                                 }
>                         }
>                 }
> +               if (options_bytes >= COMMAND_LINE_SIZE) {
> +                       options_bytes = safe_options_bytes;
> +                       efi_err("Command line is too long: truncated to %d bytes\n",
> +                               options_bytes);
> +               }
>         }
>
>         options_bytes++;        /* NUL termination */
> --
> 2.26.2
>