From nobody Sun Jun 14 14:29:37 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CF6E531A576 for ; Fri, 3 Apr 2026 10:01:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775210500; cv=none; b=LOeRYSfupsHFzWRWr22w1Aj6gdT+mX0GNgyLWSv6Fmh7wJ/Lkib3BSZOI86ituy//rjgTTkc+VIJ/lbyDYtcEa5PAq5bp7Q4tzNj6VKAPodJxxjVrpEj9kLMwOzipuW/uikMOHMjsq03ZzKr4amMVOq1iYXZ6qgqAMgzVzakDc4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775210500; c=relaxed/simple; bh=L2JksKLbPNVq8Ac0770BvTv7J3yhCMVk8PpHriFElNM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=R1iKgIazB2sg8UUnal0eWtJvu4sdhX499vYUH9DXhjN093AxJwht0wgquG5I1umOy2x+ZJCOR6zIMIZOIDcj1h3jxL1uNHg//JFNlcV4pd6/X15HHHKKTUt5jVOwqFiht9EfKFwxWMI1NXqFsNDF5lwuz44N17Jm9tMuNYQwgrg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=ber0jQCC; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=tZAaVAYY; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ber0jQCC"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="tZAaVAYY" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775210492; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=JpVYK1kYMsSmb0glYSul7QEcfCfzZZ/MPpQITA6+2SA=; b=ber0jQCCECPWvjhDqUHvJsByuTPZ1b0RP6+ISAlRPSt0QRzzVaTAcWMDBjj3rWqvO7naXj kb/DM7MDHe7QKGDhg1sWAv7qdqqVk+tzIZBWfXQiKlKlvIOda7NwaUNRqJ348oubz9f7Z8 8zKpfG8CLQ25MgoF9TfiQcz5gReubPE= Received: from mail-pl1-f200.google.com (mail-pl1-f200.google.com [209.85.214.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-588-D8IOJLuhPri23-tc_A-r1A-1; Fri, 03 Apr 2026 06:01:31 -0400 X-MC-Unique: D8IOJLuhPri23-tc_A-r1A-1 X-Mimecast-MFC-AGG-ID: D8IOJLuhPri23-tc_A-r1A_1775210490 Received: by mail-pl1-f200.google.com with SMTP id d9443c01a7336-2b0cf396c45so19500975ad.1 for ; Fri, 03 Apr 2026 03:01:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1775210490; x=1775815290; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=JpVYK1kYMsSmb0glYSul7QEcfCfzZZ/MPpQITA6+2SA=; b=tZAaVAYYb0137VzbY+O1YgVmN3tMuFJ4KX2MFnwnYn0J/KXGHZQgjEPgdmmAGR5VhE 95BmTEzFK29jH8EkDIM6kAUurd9xi+oOiWmeGkjSAL8Ct0tux+2ESva4XslxdqCdMGYQ aEUgG+BqqUtA5wh/XMBoN0LAdh+YVYR2iSIvQOr5TP8yyW9RBKoKzQ3d0DHHEb+Zb5/T lQtEfDwu/7bqpPqKmbjpyxVuQHCnt6OyRFhGNyAbflb/WyWS8meZE7b+QHttzYOeb0oT zL/r7QK9FNlUzbJPasycKPRisYXsmQjU2zrP1UxZcpprp8r3BszNFU/JUlOsqRC/8qMu wN8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775210490; x=1775815290; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=JpVYK1kYMsSmb0glYSul7QEcfCfzZZ/MPpQITA6+2SA=; b=Ctsvm22/TxBGTODuLecFn66JngscN/89zjzpjwKjyh9BJrW1AINNXRmWtuqWxxdKXz 98/YISd9dkb0drgTH/vdTXEGuGk5J9KJ990Zk5uMPYDmY+UvpWDzQLFj3qgaRbaNkBT7 Tich+Lg2heQ2kQfsmgYEb57MlR3Oxv4uCo+HMjWE5gfPuhFozZbiFLBrZwQLl8DygRyc 0zQbrH8xIz59CcnSeGPQ+8hpsZ7yuI9kbXurLCLi492Zp8sEPPRksL87PbVX/Y8kpM7Z SWl67KyMe8ZSea3FqjMJ/T6z+8xuw3JUOk+tov1kG1LGJ3iTA1FelJwvT8PXP8vpZ7Jd tVBA== X-Forwarded-Encrypted: i=1; AJvYcCXu4DqrM6ASZC7Tqj82mbuRMRD1kkqrt911eZiOZUlMywLOVci9y2eDewtUJW8FNbvQI4FVk5K6DIogjDY=@vger.kernel.org X-Gm-Message-State: AOJu0YxlIPvi9LR5lqmRmeBQofpRn1kxVrCpQCHYmMwnSgQM5sK0JXtA hk2nP7QYMtX0SnA5Z1dAiKBg85Bd6RJWyJ6jUzBn5DAJ8wbdd0IbozBUdKhmGzWOFLo9IqihATx F+Q4DRISS8QanZzF02r76HCOzhDp2iOT6ZX/oJfzNhcGgp9Szi/zbfMomo9KfNSVaTL1NHaJqIk Nm X-Gm-Gg: AeBDiesHnvLNslmtas4KqNzLLmPOsUum0WlvfLUtVb8eTDX9gCT+3jLFqQca/ioP14T aUgvQgur5x5lFspQJSdODt5fV02Hfl+sgcrbVRT8s7JDKx+hf0xn0CS+K36TdrfMhZNndIycxtr dPA82lQahBvkKOgGjpb9S8VXmfbPo93hzAA6k1i1bN6BVUPuwukUTCQl+XLtPCFLI4bPxfUlowa aHktfhYOguBd4tlGyfO0Uy5XYr/m267WtoTeb3Oxai5zyCbjCNKhMA+hDQTJXf3CNPbe0oJpiIe X6UErastP1/32vDvERHlVPKuV5xZosFEm/Yg3Yrks9OJFicK2toYB3EfNztJMZOL4r1yOEqfz// GawQ2tshZCDCs X-Received: by 2002:a17:903:94e:b0:2b0:7026:24bf with SMTP id d9443c01a7336-2b28180530fmr27122825ad.14.1775210490191; Fri, 03 Apr 2026 03:01:30 -0700 (PDT) X-Received: by 2002:a17:903:94e:b0:2b0:7026:24bf with SMTP id d9443c01a7336-2b28180530fmr27122265ad.14.1775210489564; Fri, 03 Apr 2026 03:01:29 -0700 (PDT) Received: from localhost ([209.132.188.88]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b2749a1e9csm58846095ad.55.2026.04.03.03.01.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Apr 2026 03:01:29 -0700 (PDT) From: Coiby Xu To: kexec@lists.infradead.org Cc: stable@vger.kernel.org, Andrew Morton , Sourabh Jain , Baoquan He , Vivek Goyal , Dave Young , linux-kernel@vger.kernel.org (open list) Subject: [PATCH] crash_dump: Fix potential double free and UAF of keys_header Date: Fri, 3 Apr 2026 18:01:25 +0800 Message-ID: <20260403100126.1468200-1-coxu@redhat.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" If kexec_add_buffer fails, keys_header will be freed. And depending on /sys/kernel/config/crash_dm_crypt_key/reuse, it will lead to the following two problems if the kexec_file_load syscall is called again, 1. Double free of keys_header if reuse=3Dfalse 2. UAF of keys_header if reuse=3Dtrue Address these problems by setting keys_header to NULL after freeing kbuf.buffer and re-building keys_header when necessary respectively. Fixes: 479e58549b0f ("crash_dump: store dm crypt keys in kdump reserved mem= ory") Fixes: 9ebfa8dcaea7 ("crash_dump: reuse saved dm crypt keys for CPU/memory = hot-plugging") Cc: stable@vger.kernel.org Cc: Andrew Morton Reported-by: Sourabh Jain Signed-off-by: Coiby Xu --- kernel/crash_dump_dm_crypt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/crash_dump_dm_crypt.c b/kernel/crash_dump_dm_crypt.c index a20d4097744a..92eebef27156 100644 --- a/kernel/crash_dump_dm_crypt.c +++ b/kernel/crash_dump_dm_crypt.c @@ -417,7 +417,7 @@ int crash_load_dm_crypt_keys(struct kimage *image) return -ENOENT; } =20 - if (!is_dm_key_reused) { + if (!is_dm_key_reused || !keys_header) { image->dm_crypt_keys_addr =3D 0; r =3D build_keys_header(); if (r) @@ -433,6 +433,7 @@ int crash_load_dm_crypt_keys(struct kimage *image) r =3D kexec_add_buffer(&kbuf); if (r) { kvfree((void *)kbuf.buffer); + keys_header =3D NULL; return r; } image->dm_crypt_keys_addr =3D kbuf.mem; base-commit: d8a9a4b11a137909e306e50346148fc5c3b63f9d --=20 2.53.0