From: Coiby Xu <coiby.xu@gmail.com>
To: Sourabh Jain <sourabhjain@linux.ibm.com>
Cc: kexec@lists.infradead.org,
Andrew Morton <akpm@linux-foundation.org>,
Baoquan He <baoquan.he@linux.dev>,
Dave Young <ruirui.yang@linux.dev>,
Mike Rapoport <rppt@kernel.org>,
Pasha Tatashin <pasha.tatashin@soleen.com>,
Pratyush Yadav <pratyush@kernel.org>, Coiby Xu <coxu@redhat.com>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 2/9] crash_dump: Fix potential double free and UAF of keys_header
Date: Thu, 14 May 2026 17:09:30 +0800 [thread overview]
Message-ID: <agWQGAz5vhLyW_0w@Rk> (raw)
In-Reply-To: <54a27f47-a7cd-458c-9b27-7b84949aa453@linux.ibm.com>
On Tue, May 12, 2026 at 11:12:16AM +0530, Sourabh Jain wrote:
>
>
>On 10/05/26 05:44, Coiby Xu wrote:
>>On Sat, May 09, 2026 at 01:36:59AM +0530, Sourabh Jain wrote:
>>>
>>>
>>>On 08/05/26 18:03, Coiby Xu wrote:
>>>>On Wed, May 06, 2026 at 05:58:31PM +0530, Sourabh Jain wrote:
>>>>>Hello Coiby,
>>>>
>>>>Hi Sourabh,
>>>>
>>>>Thanks for reviewing the patch!
>>>>
>>>>>
>>>>>On 02/05/26 05:13, Coiby Xu wrote:
>>>>>>If kexec_add_buffer somehow fails, keys_header will be
>>>>>>freed. Depending
>>>>>>on /sys/kernel/config/crash_dm_crypt_key/reuse, it will lead to the
>>>>>>following two problems if the kexec_file_load syscall is
>>>>>>called again,
>>>>>> 1. Double free of keys_header if reuse=false
>>>>>> 2. UAF of keys_header if reuse=true
>>>>>>
>>>>>>To address these problems and also make it easier to reason about the
>>>>>>code, keep two invariants,
>>>>>> 1. keys_header will always be freed at the end of kexec_file_load
>>>>>> syscall except during kdump image unloading for CPU/memory
>>>>>> hot-plugging support
>>>>>> 2. There will always be valid keys_header if reuse=true
>>>>>>
>>>>>>Fixes: 479e58549b0f ("crash_dump: store dm crypt keys in
>>>>>>kdump reserved memory")
>>>>>>Fixes: 9ebfa8dcaea7 ("crash_dump: reuse saved dm crypt keys
>>>>>>for CPU/memory hot-plugging")
>>>>>>Reported-by: Sourabh Jain <sourabhjain@linux.ibm.com>
>>[...]
>>>>
>>>>>
>>>>>
>>>>>
>>>>>> kexec_dprintk(
>>>>>> "dm-crypt keys haven't be saved to
>>>>>>crash-reserved memory\n");
>>>>>> return -EINVAL;
>>>>>> }
>>>>>>- if (kstrtobool(page, &is_dm_key_reused))
>>>>>>+ if (kstrtobool(page, &val) || !val)
>>>>>> return -EINVAL;
>>>>>
>>>>>Why can’t we allow the user to set is_dm_key_reused = false
>>>>>and free the
>>>>>key_header? That way, the next kdump kernel load will recreate the
>>>>>For example, a user may add more keys and want the new keys to
>>>>>be included
>>>>>in the kdump image from next kdump kernel load.
>>>>
>>>>Personally, I want to limit the reuse configfs API to the case of
>>>>CPU/memory hotplug thus to make the code simpler. And for the case of a
>>>>user adding more keys, I don't think there is a need for using
>>>>the reuse
>>>>API.
>>>
>>>
>>>Yes, there is no need for it, but I think the user is forced to use
>>>key_reuse because once it is set to true, it cannot be set back to
>>>false.
>>>
>>>For example, the kdump kernel is loaded using the kexec_load system call
>>>and reuse is set to true. The user may later add a couple of new
>>>keys and
>>>want to include them in the kdump image.
>>>
>>>I think the next kdump kernel load will reuse the key_headers even
>>>though
>>>the user does not want it. Hence I see a problem here.
>>>
>>>Well user can load kdump kernel a second time, and at that point the
>>>keys will get updated. But do we really want this behavior?
>>
>>key_reuse won't be set to true automatically unless an user explicitly
>>does so. Thus I don't think it's forcing users to use it. And by design
>>key_reuse is set only for the hotplug case.
>
>Oh, I got it now. So, on kdump kernel load, key reuse will always be
>set to false.
>
>And when the user wants to reuse the key, they can just set the key reuse to
>true and reload the kdump kernel. After the reload, key reuse will be set to
>false again by the kernel itself.
>
>Thanks for clearing up my doubts.
My pleasure! Good to know we are on the same page now:)
>
[...]
>>>>>>+ if (!is_dm_key_reused) {
>>>>>>+ kfree_sensitive(keys_header);
>>>>>>+ keys_header = NULL;
>>>>>
>>>>>Since crash_load_dm_crypt_keys() sets is_dm_key_reused =
>>>>>false, keys_header will
>>>>>always be released here, right? Then why is the above free
>>>>>under an if condition?
>>>>
>>>>Thanks for raising the question! This is to prevent "kexec -u" from
>>>>cleaning up keys_headers because kexec_file_post_load_cleanup_dm_crypt
>>>>will also be called during "kexec -u". Without the if condition,
>>>>keys_headers will not be available during reloading.
>>>
>>>Agree. But do we really run kexec -u and then kexec -p to reload
>>>the kdump
>>>kernel on hotplug events? I am under the impression that the udev rule
>>>simply reloads the kdump kernel using kexec -p without explicitly
>>>running
>>>kexec -u.
>>
>>Yes, "kdumpctl reload" will be called during hotplug events https://github.com/rhkdump/kdump-utils/blob/main/kdump-udev-throttler#L51
>>So there is explicitly unloading first and then reloading.
>
>Oh ok, then it makes sense.
>
>BTW, I got the impression about not using kexec -u on kdump service reload
>from the repo below:
>
>https://github.com/openSUSE/kdump/blob/master/70-kdump.rules.in [Udev Rule]
>https://github.com/openSUSE/kdump/blob/00979dc621ba35285b85bf55917a5b0dfd273114/init/load-once.sh#L22
>[Wrapper to load once for multiple hotplug]
>https://github.com/openSUSE/kdump/blob/00979dc621ba35285b85bf55917a5b0dfd273114/init/load.sh#L312
>[load kdump script]
Thanks for sharing how openSUSE support hotplug! I believe current API
shall also work for openSUSE if they plan to support LUKS-encrypted dump
target.
--
Best regards,
Coiby
next prev parent reply other threads:[~2026-07-10 7:52 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-01 23:43 [PATCH v2 0/9] Bug fixes and enhancements for kdump LUKS support Coiby Xu
2026-05-01 23:43 ` [PATCH v2 1/9] crash_dump: Release reference to a keyring at correct time Coiby Xu
2026-05-01 23:43 ` [PATCH v2 2/9] crash_dump: Fix potential double free and UAF of keys_header Coiby Xu
2026-05-06 12:28 ` Sourabh Jain
2026-05-08 12:33 ` Coiby Xu
2026-05-08 20:06 ` Sourabh Jain
2026-05-10 0:14 ` Coiby Xu
2026-05-12 5:42 ` Sourabh Jain
2026-05-14 9:09 ` Coiby Xu [this message]
2026-05-01 23:43 ` [PATCH v2 3/9] crash_dump: Disallow writing to dm-crypt configfs during kexec_file_load syscall Coiby Xu
2026-05-06 13:56 ` Sourabh Jain
2026-05-08 13:08 ` Coiby Xu
2026-07-10 7:47 ` Coiby Xu
2026-05-01 23:43 ` [PATCH v2 4/9] crash_dump: Read the number of dm-crypt keys from reserved memory Coiby Xu
2026-05-06 14:18 ` Sourabh Jain
2026-07-10 7:59 ` Coiby Xu
2026-05-01 23:43 ` [PATCH v2 5/9] crash_dump: Free temporary dm-crypt keys_header buffer in kdump kernel Coiby Xu
2026-05-01 23:43 ` [PATCH v2 6/9] crash_dump: Only use kexec_dprintk during the kexec_file_load syscall Coiby Xu
2026-05-01 23:43 ` [PATCH v2 7/9] crash_dump: Improve readability of config_keys_restore_store Coiby Xu
2026-05-06 14:33 ` Sourabh Jain
2026-07-10 7:53 ` Coiby Xu
2026-05-01 23:43 ` [PATCH v2 8/9] crash_dump: Disallow configfs/crash_dm_crypt_key/reuse if CONFIG_CRASH_HOTPLUG enabled Coiby Xu
2026-05-06 16:09 ` Sourabh Jain
2026-05-14 9:13 ` Coiby Xu
2026-05-01 23:43 ` [PATCH v2 9/9] Documentation: kdump: Add arm64 and ppc64le to encrypted dump target support list Coiby Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agWQGAz5vhLyW_0w@Rk \
--to=coiby.xu@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=baoquan.he@linux.dev \
--cc=coxu@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pasha.tatashin@soleen.com \
--cc=pratyush@kernel.org \
--cc=rppt@kernel.org \
--cc=ruirui.yang@linux.dev \
--cc=sourabhjain@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.