2018-01-06 17:13:39 +03:00
|
|
|
From 0b7f51014f5219ece1ca55662495bd036f3bd00d Mon Sep 17 00:00:00 2001
|
|
|
|
From: Tom Lendacky <thomas.lendacky@amd.com>
|
|
|
|
Date: Mon, 17 Jul 2017 16:10:33 -0500
|
2018-01-07 15:17:59 +03:00
|
|
|
Subject: [PATCH 049/233] x86/boot: Add early cmdline parsing for options with
|
2018-01-06 17:13:39 +03:00
|
|
|
arguments
|
|
|
|
MIME-Version: 1.0
|
|
|
|
Content-Type: text/plain; charset=UTF-8
|
|
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
|
|
|
|
CVE-2017-5754
|
|
|
|
|
|
|
|
Add a cmdline_find_option() function to look for cmdline options that
|
|
|
|
take arguments. The argument is returned in a supplied buffer and the
|
|
|
|
argument length (regardless of whether it fits in the supplied buffer)
|
|
|
|
is returned, with -1 indicating not found.
|
|
|
|
|
|
|
|
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
|
|
|
|
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
|
|
|
|
Cc: Alexander Potapenko <glider@google.com>
|
|
|
|
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
|
|
|
|
Cc: Andy Lutomirski <luto@kernel.org>
|
|
|
|
Cc: Arnd Bergmann <arnd@arndb.de>
|
|
|
|
Cc: Borislav Petkov <bp@alien8.de>
|
|
|
|
Cc: Brijesh Singh <brijesh.singh@amd.com>
|
|
|
|
Cc: Dave Young <dyoung@redhat.com>
|
|
|
|
Cc: Dmitry Vyukov <dvyukov@google.com>
|
|
|
|
Cc: Jonathan Corbet <corbet@lwn.net>
|
|
|
|
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
|
|
Cc: Larry Woodman <lwoodman@redhat.com>
|
|
|
|
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
|
|
|
Cc: Matt Fleming <matt@codeblueprint.co.uk>
|
|
|
|
Cc: Michael S. Tsirkin <mst@redhat.com>
|
|
|
|
Cc: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
|
Cc: Peter Zijlstra <peterz@infradead.org>
|
|
|
|
Cc: Radim Krčmář <rkrcmar@redhat.com>
|
|
|
|
Cc: Rik van Riel <riel@redhat.com>
|
|
|
|
Cc: Toshimitsu Kani <toshi.kani@hpe.com>
|
|
|
|
Cc: kasan-dev@googlegroups.com
|
|
|
|
Cc: kvm@vger.kernel.org
|
|
|
|
Cc: linux-arch@vger.kernel.org
|
|
|
|
Cc: linux-doc@vger.kernel.org
|
|
|
|
Cc: linux-efi@vger.kernel.org
|
|
|
|
Cc: linux-mm@kvack.org
|
|
|
|
Link: http://lkml.kernel.org/r/36b5f97492a9745dce27682305f990fc20e5cf8a.1500319216.git.thomas.lendacky@amd.com
|
|
|
|
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
|
|
|
(cherry picked from commit e505371dd83963caae1a37ead9524e8d997341be)
|
|
|
|
Signed-off-by: Andy Whitcroft <apw@kathleen.maas>
|
|
|
|
(cherry picked from commit 37569cd003aa69a57d5666530436c2d973a57b26)
|
|
|
|
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
|
|
|
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
|
|
|
|
(cherry picked from commit b9f03418aa9b8ecbb1c7f32ac2bfe68fd21de4f5)
|
|
|
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
|
|
---
|
|
|
|
arch/x86/include/asm/cmdline.h | 2 +
|
|
|
|
arch/x86/lib/cmdline.c | 105 +++++++++++++++++++++++++++++++++++++++++
|
|
|
|
2 files changed, 107 insertions(+)
|
|
|
|
|
|
|
|
diff --git a/arch/x86/include/asm/cmdline.h b/arch/x86/include/asm/cmdline.h
|
|
|
|
index e01f7f7ccb0c..84ae170bc3d0 100644
|
|
|
|
--- a/arch/x86/include/asm/cmdline.h
|
|
|
|
+++ b/arch/x86/include/asm/cmdline.h
|
|
|
|
@@ -2,5 +2,7 @@
|
|
|
|
#define _ASM_X86_CMDLINE_H
|
|
|
|
|
|
|
|
int cmdline_find_option_bool(const char *cmdline_ptr, const char *option);
|
|
|
|
+int cmdline_find_option(const char *cmdline_ptr, const char *option,
|
|
|
|
+ char *buffer, int bufsize);
|
|
|
|
|
|
|
|
#endif /* _ASM_X86_CMDLINE_H */
|
|
|
|
diff --git a/arch/x86/lib/cmdline.c b/arch/x86/lib/cmdline.c
|
|
|
|
index 5cc78bf57232..3261abb21ef4 100644
|
|
|
|
--- a/arch/x86/lib/cmdline.c
|
|
|
|
+++ b/arch/x86/lib/cmdline.c
|
|
|
|
@@ -104,7 +104,112 @@ __cmdline_find_option_bool(const char *cmdline, int max_cmdline_size,
|
|
|
|
return 0; /* Buffer overrun */
|
|
|
|
}
|
|
|
|
|
|
|
|
+/*
|
|
|
|
+ * Find a non-boolean option (i.e. option=argument). In accordance with
|
|
|
|
+ * standard Linux practice, if this option is repeated, this returns the
|
|
|
|
+ * last instance on the command line.
|
|
|
|
+ *
|
|
|
|
+ * @cmdline: the cmdline string
|
|
|
|
+ * @max_cmdline_size: the maximum size of cmdline
|
|
|
|
+ * @option: option string to look for
|
|
|
|
+ * @buffer: memory buffer to return the option argument
|
|
|
|
+ * @bufsize: size of the supplied memory buffer
|
|
|
|
+ *
|
|
|
|
+ * Returns the length of the argument (regardless of if it was
|
|
|
|
+ * truncated to fit in the buffer), or -1 on not found.
|
|
|
|
+ */
|
|
|
|
+static int
|
|
|
|
+__cmdline_find_option(const char *cmdline, int max_cmdline_size,
|
|
|
|
+ const char *option, char *buffer, int bufsize)
|
|
|
|
+{
|
|
|
|
+ char c;
|
|
|
|
+ int pos = 0, len = -1;
|
|
|
|
+ const char *opptr = NULL;
|
|
|
|
+ char *bufptr = buffer;
|
|
|
|
+ enum {
|
|
|
|
+ st_wordstart = 0, /* Start of word/after whitespace */
|
|
|
|
+ st_wordcmp, /* Comparing this word */
|
|
|
|
+ st_wordskip, /* Miscompare, skip */
|
|
|
|
+ st_bufcpy, /* Copying this to buffer */
|
|
|
|
+ } state = st_wordstart;
|
|
|
|
+
|
|
|
|
+ if (!cmdline)
|
|
|
|
+ return -1; /* No command line */
|
|
|
|
+
|
|
|
|
+ /*
|
|
|
|
+ * This 'pos' check ensures we do not overrun
|
|
|
|
+ * a non-NULL-terminated 'cmdline'
|
|
|
|
+ */
|
|
|
|
+ while (pos++ < max_cmdline_size) {
|
|
|
|
+ c = *(char *)cmdline++;
|
|
|
|
+ if (!c)
|
|
|
|
+ break;
|
|
|
|
+
|
|
|
|
+ switch (state) {
|
|
|
|
+ case st_wordstart:
|
|
|
|
+ if (myisspace(c))
|
|
|
|
+ break;
|
|
|
|
+
|
|
|
|
+ state = st_wordcmp;
|
|
|
|
+ opptr = option;
|
|
|
|
+ /* fall through */
|
|
|
|
+
|
|
|
|
+ case st_wordcmp:
|
|
|
|
+ if ((c == '=') && !*opptr) {
|
|
|
|
+ /*
|
|
|
|
+ * We matched all the way to the end of the
|
|
|
|
+ * option we were looking for, prepare to
|
|
|
|
+ * copy the argument.
|
|
|
|
+ */
|
|
|
|
+ len = 0;
|
|
|
|
+ bufptr = buffer;
|
|
|
|
+ state = st_bufcpy;
|
|
|
|
+ break;
|
|
|
|
+ } else if (c == *opptr++) {
|
|
|
|
+ /*
|
|
|
|
+ * We are currently matching, so continue
|
|
|
|
+ * to the next character on the cmdline.
|
|
|
|
+ */
|
|
|
|
+ break;
|
|
|
|
+ }
|
|
|
|
+ state = st_wordskip;
|
|
|
|
+ /* fall through */
|
|
|
|
+
|
|
|
|
+ case st_wordskip:
|
|
|
|
+ if (myisspace(c))
|
|
|
|
+ state = st_wordstart;
|
|
|
|
+ break;
|
|
|
|
+
|
|
|
|
+ case st_bufcpy:
|
|
|
|
+ if (myisspace(c)) {
|
|
|
|
+ state = st_wordstart;
|
|
|
|
+ } else {
|
|
|
|
+ /*
|
|
|
|
+ * Increment len, but don't overrun the
|
|
|
|
+ * supplied buffer and leave room for the
|
|
|
|
+ * NULL terminator.
|
|
|
|
+ */
|
|
|
|
+ if (++len < bufsize)
|
|
|
|
+ *bufptr++ = c;
|
|
|
|
+ }
|
|
|
|
+ break;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (bufsize)
|
|
|
|
+ *bufptr = '\0';
|
|
|
|
+
|
|
|
|
+ return len;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
int cmdline_find_option_bool(const char *cmdline, const char *option)
|
|
|
|
{
|
|
|
|
return __cmdline_find_option_bool(cmdline, COMMAND_LINE_SIZE, option);
|
|
|
|
}
|
|
|
|
+
|
|
|
|
+int cmdline_find_option(const char *cmdline, const char *option, char *buffer,
|
|
|
|
+ int bufsize)
|
|
|
|
+{
|
|
|
|
+ return __cmdline_find_option(cmdline, COMMAND_LINE_SIZE, option,
|
|
|
|
+ buffer, bufsize);
|
|
|
|
+}
|
|
|
|
--
|
|
|
|
2.14.2
|
|
|
|
|