Re: [PATCH v13 04/15] arm64: kexec_file: Fix potential buffer overflow in prepare_elf_headers()

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Memory leak of image->elf_headers on error paths in load_other_segments().
--

commit 176ac9ad5382c8a7611ce5e111bc472c392e772b
Author: Jinjie Ruan <ruanjinjie@huawei.com>

arm64: kexec_file: Fix potential buffer overflow in prepare_elf_headers()

This commit fixes a race condition between the kexec_load() system call and
memory hotplug operations that can lead to a buffer overflow. It adds an
explicit bounds check to prevent out-of-bounds access when populating
the memory ranges array.

Closes: https://sashiko.dev/#/patchset/20260323072745.2481719-1-ruanjinjie%40huawei.com

> diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
> index fba260ad87a96..df52ac4474c96 100644
> --- a/arch/arm64/kernel/machine_kexec_file.c
> +++ b/arch/arm64/kernel/machine_kexec_file.c
> @@ -59,6 +59,11 @@ static int prepare_elf_headers(void **addr, unsigned long *sz)
>  	cmem->max_nr_ranges = nr_ranges;
>  	cmem->nr_ranges = 0;
>  	for_each_mem_range(i, &start, &end) {
> +		if (cmem->nr_ranges >= cmem->max_nr_ranges) {
> +			ret = -ENOMEM;
> +			goto out;
> +		}
> +
>  		cmem->ranges[cmem->nr_ranges].start = start;
>  		cmem->ranges[cmem->nr_ranges].end = end - 1;
>  		cmem->nr_ranges++;

While reviewing this commit, I noticed a pre-existing issue in the
surrounding code.

Could the error paths in load_other_segments() leak the memory
allocated by prepare_elf_headers()?

If a failure occurs later in load_other_segments(), for example when
adding the initrd or dtb, the function jumps to out_err:

arch/arm64/kernel/machine_kexec_file.c:load_other_segments() {
	[ ... ]
		ret = kexec_add_buffer(&kbuf);
		if (ret) {
			vfree(headers);
			goto out_err;
		}
		image->elf_headers = headers;
	[ ... ]
	if (initrd) {
	[ ... ]
		ret = kexec_add_buffer(&kbuf);
		if (ret)
			goto out_err;
	[ ... ]
out_err:
	image->nr_segments = orig_segments;
	kvfree(dtb);
	return ret;
}

The out_err path returns an error but does not free image->elf_headers.

This seems problematic because the caller in kexec_image.c
handles placement failures by erasing the segment and retrying in a loop:

arch/arm64/kernel/kexec_image.c:image_load() {
	[ ... ]
	while ((ret = kexec_add_buffer(&kbuf)) == 0) {
		kernel_segment = &image->segment[kernel_segment_number];
		ret = load_other_segments(image, kernel_segment->mem, ...);
		if (!ret)
			break;
	[ ... ]
}

Does this retry loop unconditionally allocate new ELF headers on each
iteration and permanently leak the previously allocated buffers?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260511030454.1730881-1-ruanjinjie@huawei.com?part=4