From: sashiko-bot@kernel.org
To: "Jinjie Ruan" <ruanjinjie@huawei.com>
Cc: devicetree@vger.kernel.org, robh@kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v14 07/17] riscv: kexec_file: Fix potential buffer overflow in prepare_elf_headers()
Date: Mon, 25 May 2026 09:54:47 +0000 [thread overview]
Message-ID: <20260525095447.944E11F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260525084932.934910-8-ruanjinjie@huawei.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] `get_online_mems()` does not serialize `walk_system_ram_res()` against memory hotplug, failing to eliminate the TOCTOU race.
- [High] Reachable TOCTOU race condition inappropriately triggers `WARN_ON_ONCE`, allowing intentional dmesg spam and potential panics.
- [Medium] The commit message fabricates a non-existent deadlock scenario in RISC-V to justify the lock's placement.
--
commit 223e3ce35bfbaf2615822d5aa0bcebc0234cf741
Author: Jinjie Ruan <ruanjinjie@huawei.com>
riscv: kexec_file: Fix potential buffer overflow in prepare_elf_headers()
This commit attempts to fix a TOCTOU race in prepare_elf_headers() by
moving get_online_mems() to the top-level architecture image loaders,
and adding a bounds check in prepare_elf64_ram_headers_callback().
> Directly introducing get_online_mems() inside prepare_elf_headers() would
> trigger an immediate recursive read-after-write deadlock when invoked by
> the runtime hotplug notification path (which already holds the hotplug
> write lock).
>
> To eliminate the TOCTOU window safely without deadlock risks, move the
> get_online_mems() read lock to the top-level architecture image loaders.
> Since these top-level loaders are strictly executed on the initial system
> call path and are never re-entered by the runtime hotplug notifier, this
> approach physically isolates the locking contexts. The system memory ranges
> are forced to be statically frozen during the entire layout generation,
> eradicating the buffer overflow vulnerability.
[Severity: Medium]
Is this deadlock scenario accurate?
RISC-V currently does not select CONFIG_CRASH_HOTPLUG or
ARCH_SUPPORTS_CRASH_HOTPLUG. This means there is no runtime hotplug
notification path that dynamically updates kexec images or calls
prepare_elf_headers() on RISC-V.
Could the commit message be updated to clarify what this lock placement
actually protects against, given that the described runtime hotplug
notification path doesn't apply to this architecture?
> diff --git a/arch/riscv/kernel/machine_kexec_file.c b/arch/riscv/kernel/machine_kexec_file.c
> index 3f7766057cac3..a88362dfbd893 100644
> --- a/arch/riscv/kernel/machine_kexec_file.c
> +++ b/arch/riscv/kernel/machine_kexec_file.c
[ ... ]
> @@ -48,6 +49,9 @@ static int prepare_elf64_ram_headers_callback(struct resource *res, void *arg)
> {
> struct crash_mem *cmem = arg;
>
> + if (WARN_ON_ONCE(cmem->nr_ranges >= cmem->max_nr_ranges))
> + return -EAGAIN;
[Severity: High]
Is it safe to use a WARN_ON_ONCE() here?
Because get_online_mems() (added below) fails to prevent the Time-of-Check to
Time-of-Use race, a concurrent memory hot-add can legitimately cause
cmem->nr_ranges >= cmem->max_nr_ranges.
By repeatedly invoking the kexec_file_load syscall concurrently with memory
hotplug, a privileged user could intentionally hit this branch. This allows
them to pollute dmesg with stack traces or potentially trigger a kernel
panic on systems configured with panic_on_warn=1.
> +
> cmem->ranges[cmem->nr_ranges].start = res->start;
> cmem->ranges[cmem->nr_ranges].end = res->end;
> cmem->nr_ranges++;
[ ... ]
> @@ -281,12 +285,15 @@ int load_extra_segments(struct kimage *image, unsigned long kernel_start,
> if (image->type == KEXEC_TYPE_CRASH) {
> void *headers;
> unsigned long headers_sz;
> + get_online_mems();
> ret = prepare_elf_headers(&headers, &headers_sz);
[Severity: High]
Does get_online_mems() properly serialize walk_system_ram_res() against
memory hotplug?
get_online_mems() only acquires the mem_hotplug_lock as a reader. During
memory hotplug, __add_memory() calls register_memory_resource() to add the
new memory range to the iomem_resource tree (temporarily acquiring
resource_lock) before it calls add_memory_resource() to acquire the
mem_hotplug_lock as a writer.
Because walk_system_ram_res() iterates over the iomem_resource tree, it will
see newly added memory regions even while get_online_mems() is held.
Does this render the intended synchronization ineffective and leave the
Time-of-Check to Time-of-Use window open?
> if (ret) {
> + put_online_mems();
> pr_err("Preparing elf core header failed\n");
> goto out;
> }
>
> + put_online_mems();
> kbuf.buffer = headers;
> kbuf.bufsz = headers_sz;
> kbuf.mem = KEXEC_BUF_MEM_UNKNOWN;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260525084932.934910-1-ruanjinjie@huawei.com?part=7
next prev parent reply other threads:[~2026-05-25 9:54 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 8:49 [PATCH v14 00/17] arm64/riscv: Add support for crashkernel CMA reservation Jinjie Ruan
2026-05-25 8:49 ` [PATCH v14 01/17] riscv: kexec_file: Fix crashk_low_res not exclude bug Jinjie Ruan
2026-05-25 8:49 ` [PATCH v14 02/17] powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr() Jinjie Ruan
2026-05-25 9:22 ` sashiko-bot
2026-05-25 8:49 ` [PATCH v14 03/17] powerpc/crash: sort crash memory ranges before preparing elfcorehdr Jinjie Ruan
2026-05-25 8:49 ` [PATCH v14 04/17] arm64: kexec: Fix image->elf_headers memory leak during retry loop Jinjie Ruan
2026-05-25 9:11 ` sashiko-bot
2026-05-25 8:49 ` [PATCH v14 05/17] x86/kexec: Fix potential buffer overflow in prepare_elf_headers() Jinjie Ruan
2026-05-25 8:49 ` [PATCH v14 06/17] arm64: kexec_file: " Jinjie Ruan
2026-05-25 10:52 ` sashiko-bot
2026-05-25 8:49 ` [PATCH v14 07/17] riscv: " Jinjie Ruan
2026-05-25 9:54 ` sashiko-bot [this message]
2026-05-25 8:49 ` [PATCH v14 08/17] LoongArch: kexec: " Jinjie Ruan
2026-05-25 8:49 ` [PATCH v14 09/17] crash: Add crash_prepare_headers() to exclude crash kernel memory Jinjie Ruan
2026-05-25 8:49 ` [PATCH v14 10/17] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code Jinjie Ruan
2026-05-25 9:33 ` sashiko-bot
2026-05-25 8:49 ` [PATCH v14 11/17] x86/kexec: " Jinjie Ruan
2026-05-25 8:49 ` [PATCH v14 12/17] riscv: kexec_file: " Jinjie Ruan
2026-05-25 8:49 ` [PATCH v14 13/17] LoongArch: kexec: " Jinjie Ruan
2026-05-25 8:49 ` [PATCH v14 14/17] crash: Use crash_exclude_core_ranges() on powerpc Jinjie Ruan
2026-05-25 8:49 ` [PATCH v14 15/17] arm64: kexec: Add support for crashkernel CMA reservation Jinjie Ruan
2026-05-25 8:49 ` [PATCH v14 16/17] riscv: " Jinjie Ruan
2026-05-25 8:49 ` [PATCH v14 17/17] arm64/crash: Add crash hotplug support Jinjie Ruan
2026-05-25 10:17 ` sashiko-bot
2026-05-25 10:14 ` [PATCH v14 00/17] arm64/riscv: Add support for crashkernel CMA reservation Huacai Chen
2026-05-25 11:36 ` Mike Rapoport
2026-05-25 13:17 ` Huacai Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260525095447.944E11F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=ruanjinjie@huawei.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox