From 76a286530a8b5bdbab81c3851b851dea2da32114 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Mon, 13 Feb 2023 20:40:42 +0000 Subject: [image] Check delimiters when parsing command-line key-value arguments The Linux kernel bzImage image format and the CPIO archive constructor will parse the image command line for certain arguments of the form "key=value". This parsing is currently implemented using strstr() in a way that can cause a false positive suffix match. For example, a command line containing "highmem=" would erroneously be treated as containing a value for "mem=". Fix by centralising the logic used for parsing such arguments, and including a check that the argument immediately follows a whitespace delimiter (or is at the start of the string). Reported-by: Filippo Giunchedi Signed-off-by: Michael Brown --- src/core/cpio.c | 9 ++------- src/core/image.c | 31 +++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 7 deletions(-) (limited to 'src/core') diff --git a/src/core/cpio.c b/src/core/cpio.c index 27aee7581..4b607e260 100644 --- a/src/core/cpio.c +++ b/src/core/cpio.c @@ -77,17 +77,12 @@ size_t cpio_name_len ( struct image *image ) { */ static void cpio_parse_cmdline ( struct image *image, struct cpio_header *cpio ) { - const char *cmdline; - char *arg; + const char *arg; char *end; unsigned int mode; - /* Skip image filename */ - cmdline = ( cpio_name ( image ) + cpio_name_len ( image ) ); - /* Look for "mode=" */ - if ( ( arg = strstr ( cmdline, "mode=" ) ) ) { - arg += 5; + if ( ( arg = image_argument ( image, "mode=" ) ) ) { mode = strtoul ( arg, &end, 8 /* Octal for file mode */ ); if ( *end && ( *end != ' ' ) ) { DBGC ( image, "CPIO %p strange \"mode=\" " diff --git a/src/core/image.c b/src/core/image.c index 3e236ca60..f6d3d8ddd 100644 --- a/src/core/image.c +++ b/src/core/image.c @@ -27,6 +27,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #include #include #include +#include #include #include #include @@ -569,3 +570,33 @@ struct image * image_memory ( const char *name, userptr_t data, size_t len ) { err_alloc_image: return NULL; } + +/** + * Find argument within image command line + * + * @v image Image + * @v key Argument search key (including trailing delimiter) + * @ret value Argument value, or NULL if not found + */ +const char * image_argument ( struct image *image, const char *key ) { + const char *cmdline = image->cmdline; + const char *search; + const char *match; + const char *next; + + /* Find argument */ + for ( search = cmdline ; search ; search = next ) { + + /* Find next occurrence, if any */ + match = strstr ( search, key ); + if ( ! match ) + break; + next = ( match + strlen ( key ) ); + + /* Check preceding delimiter, if any */ + if ( ( match == cmdline ) || isspace ( match[-1] ) ) + return next; + } + + return NULL; +} -- cgit