Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Jinjie Ruan" <ruanjinjie@huawei.com>
Cc: devicetree@vger.kernel.org, conor+dt@kernel.org, robh@kernel.org
Subject: Re: [PATCH v17 01/10] riscv: kexec_file: Fix crashk_low_res not exclude bug
Date: Mon, 29 Jun 2026 09:58:15 +0000	[thread overview]
Message-ID: <20260629095816.024021F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629094746.191843-2-ruanjinjie@huawei.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] A Time-of-Check to Time-of-Use (TOCTOU) race condition between counting system RAM ranges and populating them can lead to a heap buffer overflow in `prepare_elf64_ram_headers_callback()`.
--

commit d55f858d6c28d0bc9c6e0e425332f4e2b5fea19b
Author: Jinjie Ruan <ruanjinjie@huawei.com>

riscv: kexec_file: Fix crashk_low_res not exclude bug

This commit fixes a bug in the riscv kdump implementation where the
crashk_low_res reserved ranges were not excluded from the crash kernel
memory. It updates the number of reserved ranges and excludes the
low memory range to prevent it from being exported through /proc/vmcore.

Link: https://github.com/chenjh005/kexec-tools/tree/build-test-riscv-v2
Link: https://lore.kernel.org/all/20230726175000.2536220-1-chenjiahao16@huawei.com/

> diff --git a/arch/riscv/kernel/machine_kexec_file.c b/arch/riscv/kernel/machine_kexec_file.c
> index 54e2d9552e930..3f7766057cac3 100644
> --- a/arch/riscv/kernel/machine_kexec_file.c
> +++ b/arch/riscv/kernel/machine_kexec_file.c
> @@ -61,7 +61,7 @@ static int prepare_elf_headers(void **addr, unsigned long *sz)
>  	unsigned int nr_ranges;
>  	int ret;
>  
> -	nr_ranges = 1; /* For exclusion of crashkernel region */
> +	nr_ranges = 2; /* For exclusion of crashkernel region */
>  	walk_system_ram_res(0, -1, &nr_ranges, get_nr_ram_ranges_callback);
>  
>  	cmem = kmalloc_flex(*cmem, ranges, nr_ranges);

[Severity: High]
This is a pre-existing issue, but what happens if memory is hot-added
concurrently between the first and second calls to walk_system_ram_res()
in prepare_elf_headers()?

If the number of RAM ranges increases after the first walk computes the
allocation size, the second walk will invoke
prepare_elf64_ram_headers_callback() more times than the allocated capacity.

Looking at prepare_elf64_ram_headers_callback(), there is no bounds check
against cmem->max_nr_ranges:

static int prepare_elf64_ram_headers_callback(struct resource *res, void *arg)
{
        struct crash_mem *cmem = arg;

        cmem->ranges[cmem->nr_ranges].start = res->start;
        cmem->ranges[cmem->nr_ranges].end = res->end;
        cmem->nr_ranges++;

        return 0;
}

Could this cause a heap buffer overflow if the number of new regions exceeds
the padding reserved for exclusion ranges?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629094746.191843-1-ruanjinjie@huawei.com?part=1

  reply	other threads:[~2026-06-29  9:58 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29  9:47 [PATCH v17 00/10] arm64/riscv: Add support for crashkernel CMA reservation Jinjie Ruan
2026-06-29  9:47 ` [PATCH v17 01/10] riscv: kexec_file: Fix crashk_low_res not exclude bug Jinjie Ruan
2026-06-29  9:58   ` sashiko-bot [this message]
2026-06-29  9:47 ` [PATCH v17 02/10] powerpc/crash: sort crash memory ranges before preparing elfcorehdr Jinjie Ruan
2026-06-29  9:47 ` [PATCH v17 03/10] crash: Add crash_prepare_headers() to exclude crash kernel memory Jinjie Ruan
2026-06-29 10:19   ` sashiko-bot
2026-06-29  9:47 ` [PATCH v17 04/10] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code Jinjie Ruan
2026-06-29 10:31   ` sashiko-bot
2026-06-29  9:47 ` [PATCH v17 05/10] x86/crash: " Jinjie Ruan
2026-06-29 10:41   ` sashiko-bot
2026-06-29  9:47 ` [PATCH v17 06/10] riscv: kexec_file: " Jinjie Ruan
2026-06-29 10:53   ` sashiko-bot
2026-06-29 11:28   ` Guo Ren
2026-06-29  9:47 ` [PATCH v17 07/10] LoongArch: " Jinjie Ruan
2026-06-29 11:06   ` sashiko-bot
2026-06-29  9:47 ` [PATCH v17 08/10] powerpc/kexec_file: Use crash_exclude_core_ranges() helper Jinjie Ruan
2026-06-29  9:47 ` [PATCH v17 09/10] arm64: kexec_file: Add support for crashkernel CMA reservation Jinjie Ruan
2026-06-29  9:47 ` [PATCH v17 10/10] riscv: " Jinjie Ruan
2026-06-29 11:33   ` sashiko-bot
2026-06-30 15:49 ` [PATCH v17 00/10] arm64/riscv: " Mike Rapoport

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629095816.024021F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=ruanjinjie@huawei.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox