Re: [PATCH v2] stable: crypto: sha256 - fix crash at kexec

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Biggers <ebiggers@kernel.org>
To: Breno Leitao <leitao@debian.org>
Cc: gregkh@linuxfoundation.org, sashal@kernel.org,
	stable@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	Ard Biesheuvel <ardb@kernel.org>,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-team@meta.com,
	Michael van der Westhuizen <rmikey@meta.com>,
	Tobias Fleig <tfleig@meta.com>
Subject: Re: [PATCH v2] stable: crypto: sha256 - fix crash at kexec
Date: Thu, 2 Oct 2025 10:37:23 -0700	[thread overview]
Message-ID: <20251002173723.GE1697@sol> (raw)
In-Reply-To: <20251002-stable_crash-v2-1-836adf233521@debian.org>

On Thu, Oct 02, 2025 at 04:26:20AM -0700, Breno Leitao wrote:
> Loading a large (~2.1G) files with kexec crashes the host with when
> running:
> 
>   # kexec --load kernel --initrd initrd_with_2G_or_more
> 
>   UBSAN: signed-integer-overflow in ./include/crypto/sha256_base.h:64:19
>   34152083 * 64 cannot be represented in type 'int'
>   ...
>   BUG: unable to handle page fault for address: ff9fffff83b624c0
>   sha256_update (lib/crypto/sha256.c:137)
>   crypto_sha256_update (crypto/sha256_generic.c:40)
>   kexec_calculate_store_digests (kernel/kexec_file.c:769)
>   __se_sys_kexec_file_load (kernel/kexec_file.c:397 kernel/kexec_file.c:332)
>   ...
> 
> (Line numbers based on commit da274362a7bd9 ("Linux 6.12.49")
> 
> This started happening after commit f4da7afe07523f
> ("kexec_file: increase maximum file size to 4G") that landed in v6.0,
> which increased the file size for kexec.
> 
> This is not happening upstream (v6.16+), given that `block` type was
> upgraded from "int" to "size_t" in commit 74a43a2cf5e8 ("crypto:
> lib/sha256 - Move partial block handling out")
> 
> Upgrade the block type similar to the commit above, avoiding hitting the
> overflow.
> 
> This patch is only suitable for the stable tree, and before 6.16, which
> got commit 74a43a2cf5e8 ("crypto: lib/sha256 - Move partial block
> handling out"). This is not required before f4da7afe07523f ("kexec_file:
> increase maximum file size to 4G"). In other words, this fix is required
> between versions v6.0 and v6.16.
> 
> Signed-off-by: Breno Leitao <leitao@debian.org>
> Fixes: f4da7afe07523f ("kexec_file: increase maximum file size to 4G") # Before v6.16
> Reported-by: Michael van der Westhuizen <rmikey@meta.com>
> Reported-by: Tobias Fleig <tfleig@meta.com>
> ---
> Changes in v2:
> - s/size_t/unsigned int/ as suggested by Eric
> - Tag the commit that introduce the problem as Fixes, making backport easier.
> - Link to v1: https://lore.kernel.org/r/20251001-stable_crash-v1-1-3071c0bd795e@debian.org
> ---
>  include/crypto/sha256_base.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/crypto/sha256_base.h b/include/crypto/sha256_base.h
> index e0418818d63c8..e3e610cfe8d30 100644
> --- a/include/crypto/sha256_base.h
> +++ b/include/crypto/sha256_base.h
> @@ -44,7 +44,7 @@ static inline int lib_sha256_base_do_update(struct sha256_state *sctx,
>  	sctx->count += len;
>  
>  	if (unlikely((partial + len) >= SHA256_BLOCK_SIZE)) {
> -		int blocks;
> +		unsigned int blocks;
>  
>  		if (partial) {
>  			int p = SHA256_BLOCK_SIZE - partial;
> 
> ---
> base-commit: da274362a7bd9ab3a6e46d15945029145ebce672
> change-id: 20251001-stable_crash-f2151baf043b

Reviewed-by: Eric Biggers <ebiggers@kernel.org>

- Eric

     prev parent reply	other threads:[~2025-10-02 17:38 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-02 11:26 [PATCH v2] stable: crypto: sha256 - fix crash at kexec Breno Leitao
2025-10-02 11:28 ` kernel test robot
2025-10-02 17:37 ` Eric Biggers [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251002173723.GE1697@sol \
    --to=ebiggers@kernel.org \
    --cc=ardb@kernel.org \
    --cc=davem@davemloft.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=kernel-team@meta.com \
    --cc=leitao@debian.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rmikey@meta.com \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tfleig@meta.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.