From: Mike Rapoport <rppt@kernel.org>
To: Pratyush Yadav <pratyush@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Baoquan He <bhe@redhat.com>, Alexander Graf <graf@amazon.com>,
Pasha Tatashin <pasha.tatashin@soleen.com>,
kexec@lists.infradead.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] kho: fix out-of-bounds access of vmalloc chunk
Date: Mon, 3 Nov 2025 18:57:24 +0200 [thread overview]
Message-ID: <aQje9CFnTymbkUlM@kernel.org> (raw)
In-Reply-To: <20251103110159.8399-1-pratyush@kernel.org>
On Mon, Nov 03, 2025 at 12:01:57PM +0100, Pratyush Yadav wrote:
> The list of pages in a vmalloc chunk is NULL-terminated. So when looping
> through the pages in a vmalloc chunk, both kho_restore_vmalloc() and
> kho_vmalloc_unpreserve_chunk() rightly make sure to stop when
> encountering a NULL page. But when the chunk is full, the loops do not
> stop and go past the bounds of chunk->phys, resulting in out-of-bounds
> memory access, and possibly the restoration or unpreservation of an
> invalid page.
>
> Fix this by making sure the processing of chunk stops at the end of the
> array.
>
> Fixes: a667300bd53f2 ("kho: add support for preserving vmalloc allocations")
> Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
> ---
>
> Notes:
> Commit 89a3ecca49ee8 ("kho: make sure page being restored is actually
> from KHO") was quite helpful in catching this since kho_restore_page()
> errored out due to missing magic number, instead of "restoring" a random
> page and causing errors at other random places.
>
> kernel/kexec_handover.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/kexec_handover.c b/kernel/kexec_handover.c
> index 76f0940fb4856..cc5aaa738bc50 100644
> --- a/kernel/kexec_handover.c
> +++ b/kernel/kexec_handover.c
> @@ -869,7 +869,7 @@ static void kho_vmalloc_unpreserve_chunk(struct kho_vmalloc_chunk *chunk)
>
> __kho_unpreserve(track, pfn, pfn + 1);
>
> - for (int i = 0; chunk->phys[i]; i++) {
> + for (int i = 0; i < ARRAY_SIZE(chunk->phys) && chunk->phys[i]; i++) {
> pfn = PHYS_PFN(chunk->phys[i]);
> __kho_unpreserve(track, pfn, pfn + 1);
> }
> @@ -992,7 +992,7 @@ void *kho_restore_vmalloc(const struct kho_vmalloc *preservation)
> while (chunk) {
> struct page *page;
>
> - for (int i = 0; chunk->phys[i]; i++) {
> + for (int i = 0; i < ARRAY_SIZE(chunk->phys) && chunk->phys[i]; i++) {
> phys_addr_t phys = chunk->phys[i];
>
> if (idx + contig_pages > total_pages)
>
> base-commit: dcb6fa37fd7bc9c3d2b066329b0d27dedf8becaa
> --
> 2.47.3
>
--
Sincerely yours,
Mike.
prev parent reply other threads:[~2025-11-03 16:57 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-03 11:01 [PATCH] kho: fix out-of-bounds access of vmalloc chunk Pratyush Yadav
2025-11-03 16:57 ` Mike Rapoport [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aQje9CFnTymbkUlM@kernel.org \
--to=rppt@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=bhe@redhat.com \
--cc=graf@amazon.com \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pasha.tatashin@soleen.com \
--cc=pratyush@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.