From: fuqiang wang <fuqiang.wang@easystack.cn>
To: Baoquan He <bhe@redhat.com>, Vivek Goyal <vgoyal@redhat.com>,
Dave Young <dyoung@redhat.com>, Yuntao Wang <ytcoode@gmail.com>
Cc: kexec@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2 1/2] x86/kexec: Fix potential out of bounds in crash_setup_memmap_entries()
Date: Wed, 20 Dec 2023 13:57:31 +0800 [thread overview]
Message-ID: <20231220055733.100325-2-fuqiang.wang@easystack.cn> (raw)
In-Reply-To: <20231220055733.100325-1-fuqiang.wang@easystack.cn>
In memmap_exclude_ranges(), there will exclude elfheader from
crashk_res. In the current x86 architecture code, the elfheader is
always allocated at crashk_res.start. It seems that there won't be a
split a new range. But it depends on the allocation position of
elfheader in crashk_res. To avoid potential out of bounds in future, Set
the array size to 2.
But similar issue will not exist in fill_up_crash_elf_data(). Because
the range to be excluded is [0, 1M], start (0) is special and will not
appear in the middle of existing cmem->ranges[]. I added a comment to
explain it.
Signed-off-by: fuqiang wang <fuqiang.wang@easystack.cn>
---
arch/x86/kernel/crash.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c
index c92d88680dbf..1c15d0884c90 100644
--- a/arch/x86/kernel/crash.c
+++ b/arch/x86/kernel/crash.c
@@ -149,6 +149,13 @@ static struct crash_mem *fill_up_crash_elf_data(void)
/*
* Exclusion of crash region and/or crashk_low_res may cause
* another range split. So add extra two slots here.
+ *
+ * Exclusion of low 1M may not cause another range split, because the
+ * range of exclude is [0, 1M] and the condition for splitting a new
+ * region is that the start, end parameters are both in a certain
+ * existing region in cmem and cannot be equal to existing region's
+ * start or end. Obviously, the start of [0, 1M] cannot meet this
+ * condition.
*/
nr_ranges += 2;
cmem = vzalloc(struct_size(cmem, ranges, nr_ranges));
@@ -282,9 +289,15 @@ int crash_setup_memmap_entries(struct kimage *image, struct boot_params *params)
struct crash_memmap_data cmd;
struct crash_mem *cmem;
- cmem = vzalloc(struct_size(cmem, ranges, 1));
+ cmem = vzalloc(struct_size(cmem, ranges, 2));
if (!cmem)
return -ENOMEM;
+ cmem->max_nr_ranges = 2;
+
+ /* Exclude some ranges from crashk_res and add rest to memmap */
+ ret = memmap_exclude_ranges(image, cmem, crashk_res.start, crashk_res.end);
+ if (ret)
+ goto out;
memset(&cmd, 0, sizeof(struct crash_memmap_data));
cmd.params = params;
@@ -320,11 +333,6 @@ int crash_setup_memmap_entries(struct kimage *image, struct boot_params *params)
add_e820_entry(params, &ei);
}
- /* Exclude some ranges from crashk_res and add rest to memmap */
- ret = memmap_exclude_ranges(image, cmem, crashk_res.start, crashk_res.end);
- if (ret)
- goto out;
-
for (i = 0; i < cmem->nr_ranges; i++) {
ei.size = cmem->ranges[i].end - cmem->ranges[i].start + 1;
--
2.42.0
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: fuqiang wang <fuqiang.wang@easystack.cn>
To: Baoquan He <bhe@redhat.com>, Vivek Goyal <vgoyal@redhat.com>,
Dave Young <dyoung@redhat.com>, Yuntao Wang <ytcoode@gmail.com>
Cc: kexec@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2 1/2] x86/kexec: Fix potential out of bounds in crash_setup_memmap_entries()
Date: Wed, 20 Dec 2023 13:57:31 +0800 [thread overview]
Message-ID: <20231220055733.100325-2-fuqiang.wang@easystack.cn> (raw)
In-Reply-To: <20231220055733.100325-1-fuqiang.wang@easystack.cn>
In memmap_exclude_ranges(), there will exclude elfheader from
crashk_res. In the current x86 architecture code, the elfheader is
always allocated at crashk_res.start. It seems that there won't be a
split a new range. But it depends on the allocation position of
elfheader in crashk_res. To avoid potential out of bounds in future, Set
the array size to 2.
But similar issue will not exist in fill_up_crash_elf_data(). Because
the range to be excluded is [0, 1M], start (0) is special and will not
appear in the middle of existing cmem->ranges[]. I added a comment to
explain it.
Signed-off-by: fuqiang wang <fuqiang.wang@easystack.cn>
---
arch/x86/kernel/crash.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c
index c92d88680dbf..1c15d0884c90 100644
--- a/arch/x86/kernel/crash.c
+++ b/arch/x86/kernel/crash.c
@@ -149,6 +149,13 @@ static struct crash_mem *fill_up_crash_elf_data(void)
/*
* Exclusion of crash region and/or crashk_low_res may cause
* another range split. So add extra two slots here.
+ *
+ * Exclusion of low 1M may not cause another range split, because the
+ * range of exclude is [0, 1M] and the condition for splitting a new
+ * region is that the start, end parameters are both in a certain
+ * existing region in cmem and cannot be equal to existing region's
+ * start or end. Obviously, the start of [0, 1M] cannot meet this
+ * condition.
*/
nr_ranges += 2;
cmem = vzalloc(struct_size(cmem, ranges, nr_ranges));
@@ -282,9 +289,15 @@ int crash_setup_memmap_entries(struct kimage *image, struct boot_params *params)
struct crash_memmap_data cmd;
struct crash_mem *cmem;
- cmem = vzalloc(struct_size(cmem, ranges, 1));
+ cmem = vzalloc(struct_size(cmem, ranges, 2));
if (!cmem)
return -ENOMEM;
+ cmem->max_nr_ranges = 2;
+
+ /* Exclude some ranges from crashk_res and add rest to memmap */
+ ret = memmap_exclude_ranges(image, cmem, crashk_res.start, crashk_res.end);
+ if (ret)
+ goto out;
memset(&cmd, 0, sizeof(struct crash_memmap_data));
cmd.params = params;
@@ -320,11 +333,6 @@ int crash_setup_memmap_entries(struct kimage *image, struct boot_params *params)
add_e820_entry(params, &ei);
}
- /* Exclude some ranges from crashk_res and add rest to memmap */
- ret = memmap_exclude_ranges(image, cmem, crashk_res.start, crashk_res.end);
- if (ret)
- goto out;
-
for (i = 0; i < cmem->nr_ranges; i++) {
ei.size = cmem->ranges[i].end - cmem->ranges[i].start + 1;
--
2.42.0
next prev parent reply other threads:[~2023-12-20 5:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-20 5:57 [PATCH v2 0/2] kexec: fix potential cmem->ranges out of bounds fuqiang wang
2023-12-20 5:57 ` fuqiang wang
2023-12-20 5:57 ` fuqiang wang [this message]
2023-12-20 5:57 ` [PATCH v2 1/2] x86/kexec: Fix potential out of bounds in crash_setup_memmap_entries() fuqiang wang
2023-12-21 13:14 ` Baoquan He
2023-12-21 13:14 ` Baoquan He
2023-12-22 11:41 ` fuqiang wang
2023-12-22 11:41 ` fuqiang wang
2023-12-20 5:57 ` [PATCH v2 2/2] kexec: Fix potential out of bounds in crash_exclude_mem_range() fuqiang wang
2023-12-20 5:57 ` fuqiang wang
2023-12-21 11:42 ` Baoquan He
2023-12-21 11:42 ` Baoquan He
2023-12-22 11:08 ` fuqiang wang
2023-12-22 11:08 ` fuqiang wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231220055733.100325-2-fuqiang.wang@easystack.cn \
--to=fuqiang.wang@easystack.cn \
--cc=bhe@redhat.com \
--cc=dyoung@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=vgoyal@redhat.com \
--cc=ytcoode@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.