From nobody Fri Dec 19 12:28:20 2025 Received: from mail-m92249.xmail.ntesmail.com (mail-m92249.xmail.ntesmail.com [103.126.92.249]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8CD76125AB for ; Wed, 20 Dec 2023 06:09:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=easystack.cn Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=easystack.cn Received: from fedora.. (unknown [211.103.144.18]) by smtp.qiye.163.com (Hmail) with ESMTPA id DF6E726015E; Wed, 20 Dec 2023 13:57:42 +0800 (CST) From: fuqiang wang To: Baoquan He , Vivek Goyal , Dave Young , Yuntao Wang Cc: kexec@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 1/2] x86/kexec: Fix potential out of bounds in crash_setup_memmap_entries() Date: Wed, 20 Dec 2023 13:57:31 +0800 Message-ID: <20231220055733.100325-2-fuqiang.wang@easystack.cn> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231220055733.100325-1-fuqiang.wang@easystack.cn> References: <20231220055733.100325-1-fuqiang.wang@easystack.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFJQjdXWS1ZQUlXWQ8JGhUIEh9ZQVkZHktOVkMdTx0aThlPHx4fGlUZERMWGhIXJBQOD1 lXWRgSC1lBWUlKSlVKS0hVSk9PVUpDWVdZFhoPEhUdFFlBWU9LSFVKTU9JTE5VSktLVUpCS0tZBg ++ X-HM-Tid: 0a8c85cd26650276kunmdf6e726015e X-HM-MType: 1 X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6Ky46Igw6LzE2P1FOOgI4Cw4u NwFPCjpVSlVKTEtIS05KQ01PTk1CVTMWGhIXVR0OChIaFRxVDBoVHDseGggCCA8aGBBVGBVFWVdZ EgtZQVlJSkpVSktIVUpPT1VKQ1lXWQgBWUFITEJCNwY+ Content-Type: text/plain; charset="utf-8" In memmap_exclude_ranges(), there will exclude elfheader from crashk_res. In the current x86 architecture code, the elfheader is always allocated at crashk_res.start. It seems that there won't be a split a new range. But it depends on the allocation position of elfheader in crashk_res. To avoid potential out of bounds in future, Set the array size to 2. But similar issue will not exist in fill_up_crash_elf_data(). Because the range to be excluded is [0, 1M], start (0) is special and will not appear in the middle of existing cmem->ranges[]. I added a comment to explain it. Signed-off-by: fuqiang wang --- arch/x86/kernel/crash.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c index c92d88680dbf..1c15d0884c90 100644 --- a/arch/x86/kernel/crash.c +++ b/arch/x86/kernel/crash.c @@ -149,6 +149,13 @@ static struct crash_mem *fill_up_crash_elf_data(void) /* * Exclusion of crash region and/or crashk_low_res may cause * another range split. So add extra two slots here. + * + * Exclusion of low 1M may not cause another range split, because the + * range of exclude is [0, 1M] and the condition for splitting a new + * region is that the start, end parameters are both in a certain + * existing region in cmem and cannot be equal to existing region's + * start or end. Obviously, the start of [0, 1M] cannot meet this + * condition. */ nr_ranges +=3D 2; cmem =3D vzalloc(struct_size(cmem, ranges, nr_ranges)); @@ -282,9 +289,15 @@ int crash_setup_memmap_entries(struct kimage *image, s= truct boot_params *params) struct crash_memmap_data cmd; struct crash_mem *cmem; =20 - cmem =3D vzalloc(struct_size(cmem, ranges, 1)); + cmem =3D vzalloc(struct_size(cmem, ranges, 2)); if (!cmem) return -ENOMEM; + cmem->max_nr_ranges =3D 2; + + /* Exclude some ranges from crashk_res and add rest to memmap */ + ret =3D memmap_exclude_ranges(image, cmem, crashk_res.start, crashk_res.e= nd); + if (ret) + goto out; =20 memset(&cmd, 0, sizeof(struct crash_memmap_data)); cmd.params =3D params; @@ -320,11 +333,6 @@ int crash_setup_memmap_entries(struct kimage *image, s= truct boot_params *params) add_e820_entry(params, &ei); } =20 - /* Exclude some ranges from crashk_res and add rest to memmap */ - ret =3D memmap_exclude_ranges(image, cmem, crashk_res.start, crashk_res.e= nd); - if (ret) - goto out; - for (i =3D 0; i < cmem->nr_ranges; i++) { ei.size =3D cmem->ranges[i].end - cmem->ranges[i].start + 1; =20 --=20 2.42.0 From nobody Fri Dec 19 12:28:20 2025 Received: from mail-m12826.netease.com (mail-m12826.netease.com [103.209.128.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8341820DF1 for ; Wed, 20 Dec 2023 10:14:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=easystack.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=easystack.cn Received: from fedora.. (unknown [211.103.144.18]) by smtp.qiye.163.com (Hmail) with ESMTPA id BD44F26015D; Wed, 20 Dec 2023 13:57:44 +0800 (CST) From: fuqiang wang To: Baoquan He , Vivek Goyal , Dave Young , Yuntao Wang Cc: kexec@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 2/2] kexec: Fix potential out of bounds in crash_exclude_mem_range() Date: Wed, 20 Dec 2023 13:57:32 +0800 Message-ID: <20231220055733.100325-3-fuqiang.wang@easystack.cn> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231220055733.100325-1-fuqiang.wang@easystack.cn> References: <20231220055733.100325-1-fuqiang.wang@easystack.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFJQjdXWS1ZQUlXWQ8JGhUIEh9ZQVlCHxhPVk5IHksdTE0ZGk8YGFUZERMWGhIXJBQOD1 lXWRgSC1lBWUlKSlVKS0hVSk9PVUpDWVdZFhoPEhUdFFlBWU9LSFVKTU9JTE5VSktLVUpCS0tZBg ++ X-HM-Tid: 0a8c85cd2dbc0276kunmbd44f26015d X-HM-MType: 1 X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6MS46Nxw6PzErFVEBDAMPCwgq Ng4aCj5VSlVKTEtIS05KQ01NSUNIVTMWGhIXVR0OChIaFRxVDBoVHDseGggCCA8aGBBVGBVFWVdZ EgtZQVlJSkpVSktIVUpPT1VKQ1lXWQgBWUFJSExKNwY+ Content-Type: text/plain; charset="utf-8" When the split does not occur on the last array member, the current code will not return an error. So the correct array out-of-bounds check should be mem->nr_ranges >=3D mem->max_nr_ranges. When the OOB happen, the cmem->ranges[] have changed, so return early to avoid it. Signed-off-by: fuqiang wang --- kernel/crash_core.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/kernel/crash_core.c b/kernel/crash_core.c index d4313b53837e..b1ab61c74fd2 100644 --- a/kernel/crash_core.c +++ b/kernel/crash_core.c @@ -611,6 +611,9 @@ int crash_exclude_mem_range(struct crash_mem *mem, } =20 if (p_start > start && p_end < end) { + /* Split happened */ + if (mem->nr_ranges >=3D mem->max_nr_ranges) + return -ENOMEM; /* Split original range */ mem->ranges[i].end =3D p_start - 1; temp_range.start =3D p_end + 1; @@ -626,10 +629,6 @@ int crash_exclude_mem_range(struct crash_mem *mem, if (!temp_range.end) return 0; =20 - /* Split happened */ - if (i =3D=3D mem->max_nr_ranges - 1) - return -ENOMEM; - /* Location where new range should go */ j =3D i + 1; if (j < mem->nr_ranges) { --=20 2.42.0