From: Coiby Xu <coiby.xu@gmail.com>
To: Sourabh Jain <sourabhjain@linux.ibm.com>
Cc: kexec@lists.infradead.org,
Andrew Morton <akpm@linux-foundation.org>,
Baoquan He <baoquan.he@linux.dev>,
Dave Young <ruirui.yang@linux.dev>,
Mike Rapoport <rppt@kernel.org>,
Pasha Tatashin <pasha.tatashin@soleen.com>,
Pratyush Yadav <pratyush@kernel.org>, Coiby Xu <coxu@redhat.com>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 2/9] crash_dump: Fix potential double free and UAF of keys_header
Date: Thu, 14 May 2026 17:09:30 +0800 [thread overview]
Message-ID: <agWQGAz5vhLyW_0w@Rk> (raw)
In-Reply-To: <54a27f47-a7cd-458c-9b27-7b84949aa453@linux.ibm.com>
On Tue, May 12, 2026 at 11:12:16AM +0530, Sourabh Jain wrote:
>
>
>On 10/05/26 05:44, Coiby Xu wrote:
>>On Sat, May 09, 2026 at 01:36:59AM +0530, Sourabh Jain wrote:
>>>
>>>
>>>On 08/05/26 18:03, Coiby Xu wrote:
>>>>On Wed, May 06, 2026 at 05:58:31PM +0530, Sourabh Jain wrote:
>>>>>Hello Coiby,
>>>>
>>>>Hi Sourabh,
>>>>
>>>>Thanks for reviewing the patch!
>>>>
>>>>>
>>>>>On 02/05/26 05:13, Coiby Xu wrote:
>>>>>>If kexec_add_buffer somehow fails, keys_header will be
>>>>>>freed. Depending
>>>>>>on /sys/kernel/config/crash_dm_crypt_key/reuse, it will lead to the
>>>>>>following two problems if the kexec_file_load syscall is
>>>>>>called again,
>>>>>> 1. Double free of keys_header if reuse=false
>>>>>> 2. UAF of keys_header if reuse=true
>>>>>>
>>>>>>To address these problems and also make it easier to reason about the
>>>>>>code, keep two invariants,
>>>>>> 1. keys_header will always be freed at the end of kexec_file_load
>>>>>> syscall except during kdump image unloading for CPU/memory
>>>>>> hot-plugging support
>>>>>> 2. There will always be valid keys_header if reuse=true
>>>>>>
>>>>>>Fixes: 479e58549b0f ("crash_dump: store dm crypt keys in
>>>>>>kdump reserved memory")
>>>>>>Fixes: 9ebfa8dcaea7 ("crash_dump: reuse saved dm crypt keys
>>>>>>for CPU/memory hot-plugging")
>>>>>>Reported-by: Sourabh Jain <sourabhjain@linux.ibm.com>
>>[...]
>>>>
>>>>>
>>>>>
>>>>>
>>>>>> kexec_dprintk(
>>>>>> "dm-crypt keys haven't be saved to
>>>>>>crash-reserved memory\n");
>>>>>> return -EINVAL;
>>>>>> }
>>>>>>- if (kstrtobool(page, &is_dm_key_reused))
>>>>>>+ if (kstrtobool(page, &val) || !val)
>>>>>> return -EINVAL;
>>>>>
>>>>>Why can’t we allow the user to set is_dm_key_reused = false
>>>>>and free the
>>>>>key_header? That way, the next kdump kernel load will recreate the
>>>>>For example, a user may add more keys and want the new keys to
>>>>>be included
>>>>>in the kdump image from next kdump kernel load.
>>>>
>>>>Personally, I want to limit the reuse configfs API to the case of
>>>>CPU/memory hotplug thus to make the code simpler. And for the case of a
>>>>user adding more keys, I don't think there is a need for using
>>>>the reuse
>>>>API.
>>>
>>>
>>>Yes, there is no need for it, but I think the user is forced to use
>>>key_reuse because once it is set to true, it cannot be set back to
>>>false.
>>>
>>>For example, the kdump kernel is loaded using the kexec_load system call
>>>and reuse is set to true. The user may later add a couple of new
>>>keys and
>>>want to include them in the kdump image.
>>>
>>>I think the next kdump kernel load will reuse the key_headers even
>>>though
>>>the user does not want it. Hence I see a problem here.
>>>
>>>Well user can load kdump kernel a second time, and at that point the
>>>keys will get updated. But do we really want this behavior?
>>
>>key_reuse won't be set to true automatically unless an user explicitly
>>does so. Thus I don't think it's forcing users to use it. And by design
>>key_reuse is set only for the hotplug case.
>
>Oh, I got it now. So, on kdump kernel load, key reuse will always be
>set to false.
>
>And when the user wants to reuse the key, they can just set the key reuse to
>true and reload the kdump kernel. After the reload, key reuse will be set to
>false again by the kernel itself.
>
>Thanks for clearing up my doubts.
My pleasure! Good to know we are on the same page now:)
>
[...]
>>>>>>+ if (!is_dm_key_reused) {
>>>>>>+ kfree_sensitive(keys_header);
>>>>>>+ keys_header = NULL;
>>>>>
>>>>>Since crash_load_dm_crypt_keys() sets is_dm_key_reused =
>>>>>false, keys_header will
>>>>>always be released here, right? Then why is the above free
>>>>>under an if condition?
>>>>
>>>>Thanks for raising the question! This is to prevent "kexec -u" from
>>>>cleaning up keys_headers because kexec_file_post_load_cleanup_dm_crypt
>>>>will also be called during "kexec -u". Without the if condition,
>>>>keys_headers will not be available during reloading.
>>>
>>>Agree. But do we really run kexec -u and then kexec -p to reload
>>>the kdump
>>>kernel on hotplug events? I am under the impression that the udev rule
>>>simply reloads the kdump kernel using kexec -p without explicitly
>>>running
>>>kexec -u.
>>
>>Yes, "kdumpctl reload" will be called during hotplug events https://github.com/rhkdump/kdump-utils/blob/main/kdump-udev-throttler#L51
>>So there is explicitly unloading first and then reloading.
>
>Oh ok, then it makes sense.
>
>BTW, I got the impression about not using kexec -u on kdump service reload
>from the repo below:
>
>https://github.com/openSUSE/kdump/blob/master/70-kdump.rules.in [Udev Rule]
>https://github.com/openSUSE/kdump/blob/00979dc621ba35285b85bf55917a5b0dfd273114/init/load-once.sh#L22
>[Wrapper to load once for multiple hotplug]
>https://github.com/openSUSE/kdump/blob/00979dc621ba35285b85bf55917a5b0dfd273114/init/load.sh#L312
>[load kdump script]
Thanks for sharing how openSUSE support hotplug! I believe current API
shall also work for openSUSE if they plan to support LUKS-encrypted dump
target.
--
Best regards,
Coiby
next prev parent reply other threads:[~2026-07-10 7:52 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-01 23:43 [PATCH v2 0/9] Bug fixes and enhancements for kdump LUKS support Coiby Xu
2026-05-01 23:43 ` [PATCH v2 1/9] crash_dump: Release reference to a keyring at correct time Coiby Xu
2026-05-01 23:43 ` [PATCH v2 2/9] crash_dump: Fix potential double free and UAF of keys_header Coiby Xu
2026-05-06 12:28 ` Sourabh Jain
2026-05-08 12:33 ` Coiby Xu
2026-05-08 20:06 ` Sourabh Jain
2026-05-10 0:14 ` Coiby Xu
2026-05-12 5:42 ` Sourabh Jain
2026-05-14 9:09 ` Coiby Xu [this message]
2026-05-01 23:43 ` [PATCH v2 3/9] crash_dump: Disallow writing to dm-crypt configfs during kexec_file_load syscall Coiby Xu
2026-05-06 13:56 ` Sourabh Jain
2026-05-08 13:08 ` Coiby Xu
2026-07-10 7:47 ` Coiby Xu
2026-05-01 23:43 ` [PATCH v2 4/9] crash_dump: Read the number of dm-crypt keys from reserved memory Coiby Xu
2026-05-06 14:18 ` Sourabh Jain
2026-07-10 7:59 ` Coiby Xu
2026-05-01 23:43 ` [PATCH v2 5/9] crash_dump: Free temporary dm-crypt keys_header buffer in kdump kernel Coiby Xu
2026-05-01 23:43 ` [PATCH v2 6/9] crash_dump: Only use kexec_dprintk during the kexec_file_load syscall Coiby Xu
2026-05-01 23:43 ` [PATCH v2 7/9] crash_dump: Improve readability of config_keys_restore_store Coiby Xu
2026-05-06 14:33 ` Sourabh Jain
2026-07-10 7:53 ` Coiby Xu
2026-05-01 23:43 ` [PATCH v2 8/9] crash_dump: Disallow configfs/crash_dm_crypt_key/reuse if CONFIG_CRASH_HOTPLUG enabled Coiby Xu
2026-05-06 16:09 ` Sourabh Jain
2026-05-14 9:13 ` Coiby Xu
2026-05-01 23:43 ` [PATCH v2 9/9] Documentation: kdump: Add arm64 and ppc64le to encrypted dump target support list Coiby Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agWQGAz5vhLyW_0w@Rk \
--to=coiby.xu@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=baoquan.he@linux.dev \
--cc=coxu@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pasha.tatashin@soleen.com \
--cc=pratyush@kernel.org \
--cc=rppt@kernel.org \
--cc=ruirui.yang@linux.dev \
--cc=sourabhjain@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox