From: Breno Leitao <leitao@debian.org>
To: Jinjie Ruan <ruanjinjie@huawei.com>
Cc: corbet@lwn.net, skhan@linuxfoundation.org,
catalin.marinas@arm.com, will@kernel.org, chenhuacai@kernel.org,
kernel@xen0n.name, maddy@linux.ibm.com, mpe@ellerman.id.au,
npiggin@gmail.com, chleroy@kernel.org, pjw@kernel.org,
palmer@dabbelt.com, aou@eecs.berkeley.edu, alex@ghiti.fr,
tglx@kernel.org, mingo@redhat.com, bp@alien8.de,
dave.hansen@linux.intel.com, hpa@zytor.com, robh@kernel.org,
saravanak@kernel.org, akpm@linux-foundation.org, bhe@redhat.com,
rppt@kernel.org, pasha.tatashin@soleen.com, pratyush@kernel.org,
ruirui.yang@linux.dev, rdunlap@infradead.org, pmladek@suse.com,
dapeng1.mi@linux.intel.com, kees@kernel.org, elver@google.com,
kuba@kernel.org, ebiggers@kernel.org, lirongqing@baidu.com,
paulmck@kernel.org, sourabhjain@linux.ibm.com, coxu@redhat.com,
jbohac@suse.cz, ryan.roberts@arm.com, osandov@fb.com,
cfsworks@gmail.com, tangyouling@kylinos.cn,
ritesh.list@gmail.com, adityag@linux.ibm.com, guoren@kernel.org,
songshuaishuai@tinylab.org, kevin.brodsky@arm.com,
vishal.moola@gmail.com, junhui.liu@pigmoral.tech,
wangruikang@iscas.ac.cn, namcao@linutronix.de,
chao.gao@intel.com, seanjc@google.com,
fuqiang.wang@easystack.cn, ardb@kernel.org,
chenjiahao16@huawei.com, hbathini@linux.ibm.com,
takahiro.akashi@linaro.org, james.morse@arm.com,
lizhengyu3@huawei.com, x86@kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, loongarch@lists.linux.dev,
linuxppc-dev@lists.ozlabs.org, linux-riscv@lists.infradead.org,
devicetree@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [PATCH v13 04/15] arm64: kexec_file: Fix potential buffer overflow in prepare_elf_headers()
Date: Mon, 11 May 2026 05:30:54 -0700 [thread overview]
Message-ID: <agHL1zzC5bzgoCiJ@gmail.com> (raw)
In-Reply-To: <79c14bee-b1f5-4d70-8345-6582d6cf0128@huawei.com>
On Mon, May 11, 2026 at 07:30:44PM +0800, Jinjie Ruan wrote:
>
>
> On 5/11/2026 5:46 PM, Breno Leitao wrote:
> > On Mon, May 11, 2026 at 11:04:43AM +0800, Jinjie Ruan wrote:
> >> There is a race condition between the kexec_load() system call
> >> (crash kernel loading path) and memory hotplug operations that can
> >> lead to buffer overflow and potential kernel crash.
> >>
> >> During prepare_elf_headers(), the following steps occur:
> >> 1. The first for_each_mem_range() queries current System RAM memory ranges
> >> 2. Allocates buffer based on queried count
> >> 3. The 2st for_each_mem_range() populates ranges from memblock
> >>
> >> If memory hotplug occurs between step 1 and step 3, the number of ranges
> >> can increase, causing out-of-bounds write when populating cmem->ranges[].
> >>
> >> This happens because kexec_load() uses kexec_trylock (atomic_t) while
> >> memory hotplug uses device_hotplug_lock (mutex), so they don't serialize
> >> with each other.
> >>
> >> Add the explicit bounds checking to prevent out-of-bounds access.
> >
> > It seems you have a TOCTOU type of issue, and this seems to be shrinking
> > the window, but not fully solving it?
>
> Hi Breno,
>
> Thanks for your comments regarding the TOCTOU issue.
>
> You are correct that the current bounds checking only "shrinks the
> window" and prevents a kernel crash, but doesn't fully guarantee header
> consistency if a race occurs.
>
> In my local environment, this race is extremely difficult to reproduce,
> but it is theoretically possible.
>
> To address this properly for arm64, I am considering two steps:
>
> - For this patch: I will change the return value to -EAGAIN and keep the
> bounds check. This ensures that even if a race happens, the kernel
> remains safe (no OOB access), and user-space is notified to retry.
>
> - Long-term solution: A better way to solve this is to implement ARM64
> CRASH_HOTPLUG support (similar to x86). With crash hotplug, the kernel
> will automatically re-generate the crash headers whenever a memory
> hotplug event occurs. This makes the TOCTOU during the initial
> kexec_load less critical, as any transient inconsistency will be
> immediately corrected by the subsequent hotplug handler.
>
> Does it make sense to you to use this patch as a safety guard first, and
> then I (or someone else) follow up with the full CRASH_HOTPLUG support
> for arm64 as [1]?
It would be OK for me, but, make it explict that there is a TOCTOU
issue, that depends on CRASH_HOTPLUG.
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2026-05-11 13:13 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 3:04 [PATCH v13 00/15] arm64/riscv: Add support for crashkernel CMA reservation Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 01/15] riscv: kexec_file: Fix crashk_low_res not exclude bug Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 02/15] powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr() Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 03/15] x86/kexec: Fix potential buffer overflow in prepare_elf_headers() Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 04/15] arm64: kexec_file: " Jinjie Ruan
2026-05-11 9:46 ` Breno Leitao
2026-05-11 11:30 ` Jinjie Ruan
2026-05-11 12:30 ` Breno Leitao [this message]
2026-05-11 3:04 ` [PATCH v13 05/15] riscv: " Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 06/15] LoongArch: kexec: " Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 07/15] powerpc/crash: sort crash memory ranges before preparing elfcorehdr Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 08/15] crash: Add crash_prepare_headers() to exclude crash kernel memory Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 09/15] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 10/15] x86/kexec: " Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 11/15] riscv: kexec_file: " Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 12/15] LoongArch: kexec: " Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 13/15] crash: Use crash_exclude_core_ranges() on powerpc Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 14/15] arm64: kexec: Add support for crashkernel CMA reservation Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 15/15] riscv: " Jinjie Ruan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agHL1zzC5bzgoCiJ@gmail.com \
--to=leitao@debian.org \
--cc=adityag@linux.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=ardb@kernel.org \
--cc=bhe@redhat.com \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=cfsworks@gmail.com \
--cc=chao.gao@intel.com \
--cc=chenhuacai@kernel.org \
--cc=chenjiahao16@huawei.com \
--cc=chleroy@kernel.org \
--cc=corbet@lwn.net \
--cc=coxu@redhat.com \
--cc=dapeng1.mi@linux.intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=devicetree@vger.kernel.org \
--cc=ebiggers@kernel.org \
--cc=elver@google.com \
--cc=fuqiang.wang@easystack.cn \
--cc=guoren@kernel.org \
--cc=hbathini@linux.ibm.com \
--cc=hpa@zytor.com \
--cc=james.morse@arm.com \
--cc=jbohac@suse.cz \
--cc=junhui.liu@pigmoral.tech \
--cc=kees@kernel.org \
--cc=kernel@xen0n.name \
--cc=kevin.brodsky@arm.com \
--cc=kexec@lists.infradead.org \
--cc=kuba@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=lirongqing@baidu.com \
--cc=lizhengyu3@huawei.com \
--cc=loongarch@lists.linux.dev \
--cc=maddy@linux.ibm.com \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=namcao@linutronix.de \
--cc=npiggin@gmail.com \
--cc=osandov@fb.com \
--cc=palmer@dabbelt.com \
--cc=pasha.tatashin@soleen.com \
--cc=paulmck@kernel.org \
--cc=pjw@kernel.org \
--cc=pmladek@suse.com \
--cc=pratyush@kernel.org \
--cc=rdunlap@infradead.org \
--cc=ritesh.list@gmail.com \
--cc=robh@kernel.org \
--cc=rppt@kernel.org \
--cc=ruanjinjie@huawei.com \
--cc=ruirui.yang@linux.dev \
--cc=ryan.roberts@arm.com \
--cc=saravanak@kernel.org \
--cc=seanjc@google.com \
--cc=skhan@linuxfoundation.org \
--cc=songshuaishuai@tinylab.org \
--cc=sourabhjain@linux.ibm.com \
--cc=takahiro.akashi@linaro.org \
--cc=tangyouling@kylinos.cn \
--cc=tglx@kernel.org \
--cc=vishal.moola@gmail.com \
--cc=wangruikang@iscas.ac.cn \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox