From a0f82a2a936264e62cf610c14548f88ef2592887 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Tue, 2 Mar 2021 02:25:20 +0100
Subject: [PATCH] Limit maximum length of kernelopts property

Theoretically libvirt/libxl should reject too long values anyway, but
lets provide early feedback and reject value that would cause VM start
fail later.

Reported by @DemiMarie
---
 qubes/tests/vm/qubesvm.py |  6 ++----
 qubes/vm/qubesvm.py       | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/qubes/tests/vm/qubesvm.py b/qubes/tests/vm/qubesvm.py
index 32347d84..75815af4 100644
--- a/qubes/tests/vm/qubesvm.py
+++ b/qubes/tests/vm/qubesvm.py
@@ -540,10 +540,8 @@ class TC_90_QubesVM(QubesVMTestsMixin, qubes.tests.QubesTestCase):
         del vm.kernelopts
         self.assertPropertyDefaultValue(vm, 'kernelopts',
             qubes.config.defaults['kernelopts'])
-        self.assertPropertyValue(vm, 'kernelopts', '',
-            '', '')
-        # TODO?
-        # self.assertPropertyInvalidValue(vm, 'kernelopts', None),
+        self.assertPropertyValue(vm, 'kernelopts', '', '', '')
+        self.assertPropertyInvalidValue(vm, 'kernelopts', 'A' * 1024),
 
     @unittest.skip('test not implemented')
     def test_261_kernelopts_pcidevs(self):
diff --git a/qubes/vm/qubesvm.py b/qubes/vm/qubesvm.py
index c989c5b9..c51a2dba 100644
--- a/qubes/vm/qubesvm.py
+++ b/qubes/vm/qubesvm.py
@@ -71,6 +71,22 @@ def _setter_kernel(self, prop, value):
     return value
 
 
+def _setter_kernelopts(self, prop, value):
+    """Helper for setting the domain kernelopts and running sanity checks on it.
+    """
+    if not value:
+        return ''
+    value = str(value)
+    # At least some parts of the Xen boot ABI limits the cmdline to 1024 chars.
+    # Limit it here to 512 chars, to leave some space for kernelopts_common
+    # and still be safe also against off-by-one errors.
+    if len(value) > 512:
+        raise qubes.exc.QubesPropertyValueError(
+            self, prop, value,
+            'Kernelopts value too long (512 chars max)')
+    return value
+
+
 def _setter_positive_int(self, prop, value):
     """ Helper for setting a positive int. Checks that the int is > 0 """
     # pylint: disable=unused-argument
@@ -635,6 +651,7 @@ class QubesVM(qubes.vm.mix.net.NetVMMixin, qubes.vm.BaseVM):
     kernelopts = qubes.property(
         'kernelopts', type=str, load_stage=4,
         default=_default_kernelopts,
+        setter=_setter_kernelopts,
         doc='Kernel command line passed to domain. TemplateBasedVMs use its '
             'template\'s value by default.')