From nobody Sat Apr 4 01:35:25 2026 Received: from cstnet.cn (smtp25.cstnet.cn [159.226.251.25]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B6211684A4 for ; Sun, 22 Mar 2026 03:19:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.25 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774149581; cv=none; b=TBxtNe5yjAeMowZ/8CQ9V83w933JWqQ92iG1NWFhGlGV8DBG/mUmxmyx9P3opB2yky2FaLjo7CM+2i08GI+5mRINjfBgl0kz6Hz3rZJ2BjFfiCZ2Z3kyS6yBp0pQtjoX6HKefTaEvzqU571TozXN7oXABFO/VrS/DBgsuFqtJ4Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774149581; c=relaxed/simple; bh=Ki0FlgnlClSu9X/mSNQVDcQa/g/DU5b/iPQcw5Qj+Bw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=r1vs5lrhLmgyZApc80TkG+kL0Tt1bG37AIyqzG4Ar+c5yfAmSHFclah0T8zWCcChrLEy6F7tWtWkPi7CLrReHfS6ehn5ha0VCDd86nVYreOTB2Cm4nq2KlTSRgISN90r3cLh6FS/T4sR4LgBDnhOtF4FXdPpto59QYOjRj8FEzQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.25 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from localhost.localdomain (unknown [111.196.245.197]) by APP-05 (Coremail) with SMTP id zQCowAAntwq8X79p5E8eCw--.19969S2; Sun, 22 Mar 2026 11:19:25 +0800 (CST) From: Pengpeng Hou To: x86@kernel.org Cc: pengpeng@iscas.ac.cn, kexec@lists.infradead.org, Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "H . Peter Anvin" , linux-kernel@vger.kernel.org Subject: [PATCH] x86/kexec: bound bzImage64 setup header copy Date: Sun, 22 Mar 2026 11:19:24 +0800 Message-ID: <20260322031924.58050-1-pengpeng@iscas.ac.cn> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: zQCowAAntwq8X79p5E8eCw--.19969S2 X-Coremail-Antispam: 1UD129KBjvJXoW7uF1kKr4kJFy3Xw15JF1UWrg_yoW8CFW8pw srX340gw1DJr1Y93y8Zr48CFW3A397ta4agFWUG395tFs0g348KFWIgry29a1j9r4rKF1F qw1YyF1S93WkJrJanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkK14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4j 6r4UJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Cr 1j6rxdM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj 6xIIjxv20xvE14v26r126r1DMcIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr 0_Gr1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7MxkF7I0En4kS14v2 6r1q6r43MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrV AFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCI c40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1I6r4UMIIF0xvE2Ix0cI8IcVCY1x0267 AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_ Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VUbtxhJ UUUUU== X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Content-Type: text/plain; charset="utf-8" `bzImage64_load()` computes the size of the setup header from the image header bytes and copies that amount into `params->hdr` without first verifying that the derived size fits the destination `setup_header`. Current in-tree images line up with the expected header length, but the loader still trusts the image-derived byte and will happily copy a larger header area from a malformed bzImage. Reject setup headers larger than `struct setup_header` before copying them into `boot_params`. Signed-off-by: Pengpeng Hou --- arch/x86/kernel/kexec-bzimage64.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzim= age64.c index 5630c7dca1f3..ac31bf092292 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -587,16 +587,20 @@ static void *bzImage64_load(struct kimage *image, cha= r *kernel, kbuf.bufsz +=3D sizeof(struct setup_data) + sizeof(struct kho_data); =20 + /* Copy setup header onto bootparams. Documentation/arch/x86/boot.rst */ + setup_header_size =3D 0x0202 + (unsigned char)kernel[0x0201] - + setup_hdr_offset; + if (setup_header_size > sizeof(struct setup_header)) { + pr_err("bzImage setup header too large\n"); + return ERR_PTR(-ENOEXEC); + } + params =3D kvzalloc(kbuf.bufsz, GFP_KERNEL); if (!params) return ERR_PTR(-ENOMEM); efi_map_offset =3D params_cmdline_sz; efi_setup_data_offset =3D efi_map_offset + ALIGN(efi_map_sz, 16); =20 - /* Copy setup header onto bootparams. Documentation/arch/x86/boot.rst */ - setup_header_size =3D 0x0202 + kernel[0x0201] - setup_hdr_offset; - - /* Is there a limit on setup header size? */ memcpy(¶ms->hdr, (kernel + setup_hdr_offset), setup_header_size); =20 kbuf.buffer =3D params; --=20 2.50.1 (Apple Git-155)