From nobody Sat Feb 7 07:10:10 2026 Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com [209.85.128.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A691B1DF25F for ; Sun, 1 Feb 2026 13:22:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769952164; cv=none; b=Qa03gMRBrZ95sKYr052lY9CCtQCQQTqF4vb4UA9LEwhBXIuI1+YE+UGjQqkuLK6efxxof5p3hmVuNMqvbfLif9ZdPDXVUeCyXOl5A78MF0X50R6kTtqKWtpHFMOriKyn1XqlSuTJCu+v8NmNxIDTHaOxBZVbNMHHRO4ALLrriW8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769952164; c=relaxed/simple; bh=whaSL81KwS/fiw68Cl8rxBwbDrJF+JXFC07BGw2yzDM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jP8x2q60b07hfAgkmyZL/HCTO/A92lTpc/8jg6EEC+PgmhdxuUtckipCg86TiqgHqDR6ddd53oFJXoSYpM9A7sr/jqrP1zu61kPT+nBBxJjQ9CnMTtoIV4kvLg5PGHhPJCRYU5tpOtr0JyqipZlmdqG79kjHqbnBeX8LGoyG7n8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iq0pmD+2; arc=none smtp.client-ip=209.85.128.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iq0pmD+2" Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-794d58b892cso565627b3.2 for ; Sun, 01 Feb 2026 05:22:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769952162; x=1770556962; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=T7a7p4/y/BHQxkvFbtwlRAV/7isrEcljAgUdtq1UtJI=; b=iq0pmD+2lkzgamH99+ASy7h2olbuLnSd7nmamGoYPvl7xTTFj3Lb8kEOaGZEU+5Lrt Dux2x7CcR1Yk94sOn4v2zxG62cIM7KS+YILaTHs+MFnz9ZPUzrog5J4VmzEq1UmvLtPc fjTcPcVqvr3jAbxdx8R47BjBibJJuSTOE8biyRvV8aBCffHw6tnfeTXiphxGzpK3ul2s RRCIQvuZbCLAoE159/cMBZkv+eOupS1c44KssnOhBC2g7Ml9XGl741mbg29JQzGPTZvE qfefehLXcIbMX8WpYMOnQUNC68uFJYHOpn13XcM+/ovteuZ6UIok45MamyrvfZGWtgeR v8fg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769952162; x=1770556962; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=T7a7p4/y/BHQxkvFbtwlRAV/7isrEcljAgUdtq1UtJI=; b=eRq3CI84goNvBlFEVN+pz6w1XDFFusRaUbpBcRoaxO0gYcOXtCcSBmJHrlHCVIVEES SMcLWipIskO3a8QEnM6szwASddpM6gkkErPk+wTvsoon3pKqaOzvYjR3kHhsaWfZAkRe 1IrxvFYqkUWFi3srur6tZMTmOpThPS32oXP4A2cgunfGrLlEeGSde1WfMIz5ZUn37HUo jVZSpnPyvXSOyg5mk/54nQqPQY5wIOqr6U6NaBUpWTM5/6HoUqGehjTYgJzr/qtEO3v7 dRjTNzWILLVTy6LWCgVh2MjPuFpD2VcwbFArUkdHZrXMmrHuIXTA7aFgjo1CBPRNoK4L 2O1Q== X-Forwarded-Encrypted: i=1; AJvYcCUBU3f4jIIH3C4Xn0G6F/UlonwqAkg2zE3/H3cTo4anClDLpalEyDxgdn/pLJEp47S/usN4IBDMO/hsbvU=@vger.kernel.org X-Gm-Message-State: AOJu0Ywlxvahl8Q4NOER1KzQ9FLIOtDFjm7e9ZEgNHKrygjTfeluFewb 8smnKMIpJm4qxo7uaYsEHZLMriGRt0gP0LLXBvtZ8iiQeG04bmrPbbGP X-Gm-Gg: AZuq6aKg85Mq4BzkvoUKjmwPRaI2ABf3nJRGxczwHCyNuKISM+m0yiyY+wGqPgWBpO5 N7Nl26NAiAGZBoqSzfRJMADO9zZFG04oqx/OieeNl1PnuKBpTq4AOtza2+uwLMEG8FPF8QiMvYK M07qqSULrYv+wcbpb7TYLtx0mhtvAku3o0dKDp/DwSsslV4if/bgfRVpIm9pEuQRNzvdDxyUtnn hSwvV7EbWTpEnPfiKOTxPqzn23qDAl4knHNlU8fUMZOkN6em+rbFNOS9zYTLZOQcoIt3YpFowTs gXjKMis1DFvw/pkexV0z459QtPG9xPaNu0K3atuhNJpiZmoWu2hOt7JOUDtEQ+Osp2wXNQLq/VX KAMUsVBrUa6oNDVaG8KQpEKQh0/hXMNaRpOsyGlZpXze6oNc/QFhrjYIyA052rYCnWroIuxvEsG lBv+c8DNBnpVX+vw51m/Ps6fY= X-Received: by 2002:a05:690c:4992:b0:794:b7f1:59f1 with SMTP id 00721157ae682-794b7f15dd2mr35296067b3.66.1769952161640; Sun, 01 Feb 2026 05:22:41 -0800 (PST) Received: from guava.tail5f562.ts.net ([128.210.0.165]) by smtp.gmail.com with ESMTPSA id 00721157ae682-79482762e59sm62700987b3.7.2026.02.01.05.22.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 01 Feb 2026 05:22:41 -0800 (PST) From: Pwnverse X-Google-Original-From: Pwnverse To: kees@kernel.org Cc: gregkh@linuxfoundation.org, tony.luck@intel.com, gpiccoli@igalia.com, anton.vorontsov@linaro.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sai Ritvik Tanksalkar Subject: [PATCH v2] pstore/ram: fix buffer overflow in persistent_ram_save_old() Date: Sun, 1 Feb 2026 13:22:40 +0000 Message-ID: <20260201132240.2948732-1-stanksal@purdue.edu> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sai Ritvik Tanksalkar persistent_ram_save_old() can be called multiple times for the same persistent_ram_zone (e.g., via ramoops_pstore_read -> ramoops_get_next_prz for PSTORE_TYPE_DMESG records). Currently, the function only allocates prz->old_log when it is NULL, but it unconditionally updates prz->old_log_size to the current buffer size and then performs memcpy_fromio() using this new size. If the buffer size has grown since the first allocation (which can happen across different kernel boot cycles), this leads to: 1. A heap buffer overflow (OOB write) in the memcpy_fromio() calls 2. A subsequent OOB read when ramoops_pstore_read() accesses the buffer using the incorrect (larger) old_log_size The KASAN splat would look similar to: BUG: KASAN: slab-out-of-bounds in ramoops_pstore_read+0x... Read of size N at addr ... by task ... Fix this by freeing and reallocating the buffer when the new size exceeds the previously allocated size. This ensures old_log always has sufficient space for the data being copied. Fixes: 201e4aca5aa1 ("pstore/ram: Should update old dmesg buffer before rea= ding") Cc: stable@vger.kernel.org Signed-off-by: Sai Ritvik Tanksalkar --- v2: Fixed Signed-off-by to use real name (was using Github ID). Resending with proper mail client to preserve tabs. fs/pstore/ram_core.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c index f1848cdd6d34..8df813a42a41 100644 --- a/fs/pstore/ram_core.c +++ b/fs/pstore/ram_core.c @@ -298,6 +298,14 @@ void persistent_ram_save_old(struct persistent_ram_zon= e *prz) if (!size) return; =20 + /* + * If the existing buffer is too small, free it so a new one is + * allocated. This can happen when persistent_ram_save_old() is + * called multiple times with different buffer sizes. + */ + if (prz->old_log && prz->old_log_size < size) + persistent_ram_free_old(prz); + if (!prz->old_log) { persistent_ram_ecc_old(prz); prz->old_log =3D kvzalloc(size, GFP_KERNEL); --=20 2.43.0