From: Jarkko Sakkinen <jarkko@kernel.org>
To: Tao Liu <ltao@redhat.com>
Cc: pjw@kernel.org, palmer@dabbelt.com, aou@eecs.berkeley.edu,
alex@ghiti.fr, linux-riscv@lists.infradead.org,
linux-kernel@vger.kernel.org, kexec@lists.infradead.org,
bhe@redhat.com, zohar@linux.ibm.com, roberto.sassu@huawei.com,
dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com,
linux-integrity@vger.kernel.org, pratyush@kernel.org,
Markus.Elfring@web.de, kernel-janitors@vger.kernel.org
Subject: Re: [PATCH v3] riscv: Fix a NULL pointer dereference in machine_kexec_prepare
Date: Wed, 1 Jul 2026 06:50:07 +0300 [thread overview]
Message-ID: <akSOb1_1tcJvFyda@kernel.org> (raw)
In-Reply-To: <20260701025732.66330-2-ltao@redhat.com>
On Wed, Jul 01, 2026 at 02:57:33PM +1200, Tao Liu wrote:
> A NULL pointer dereference issue is noticed in riscv's machine_kexec_prepare,
> where image->segment[i].buf might be NULL and copied unchecked.
>
> The NULL buf comes from security/integrity/ima/ima_kexec.c:
> ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(),
> but kbuf.buffer is NULL
This should have a proper call sequence. Now the root cause is
obfuscated.
>
> Fix this by simply adding a check before copy.
>
> Fixes: b7fb4d78a6ad ("RISC-V: use memcpy for kexec_file mode")
> Acked-by: Baoquan He <bhe@redhat.com>
> Acked-by: Pratyush Yadav <pratyush@kernel.org>
> Signed-off-by: Tao Liu <ltao@redhat.com>
> ---
>
> v3 -> v2: Add fixes tag; Replace "reference" to "dereference".
> link to v2: https://lore.kernel.org/linux-riscv/20260627222602.23594-2-ltao@redhat.com/
> link to v1: https://lore.kernel.org/linux-riscv/20260529032739.13264-2-ltao@redhat.com/
>
> ---
> arch/riscv/kernel/machine_kexec.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c
> index 2306ce3e5f22..afc68f6a4aa1 100644
> --- a/arch/riscv/kernel/machine_kexec.c
> +++ b/arch/riscv/kernel/machine_kexec.c
> @@ -41,6 +41,13 @@ machine_kexec_prepare(struct kimage *image)
> if (image->segment[i].memsz <= sizeof(fdt))
> continue;
>
> + /*
> + * Some segments (e.g. IMA) reserve space but have no buffer
> + * loaded yet. Skip them as they cannot contain an FDT.
> + */
This is destined to rot over time. It also adds up also potentially to
the backporting effort while backporting to stable kernes. And most
importantly. Please, don't document every other null check.
> + if (image->segment[i].buf == NULL)
if (!image->segments[i].buf)
> + continue;
> +
> if (image->file_mode)
> memcpy(&fdt, image->segment[i].buf, sizeof(fdt));
> else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt)))
> --
> 2.54.0
>
>
BR, Jarkko
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2026-07-01 3:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 2:57 [PATCH v3] riscv: Fix a NULL pointer dereference in machine_kexec_prepare Tao Liu
2026-07-01 3:28 ` Nutty.Liu
2026-07-01 3:50 ` Jarkko Sakkinen [this message]
2026-07-01 4:58 ` Tao Liu
2026-07-01 10:34 ` Jarkko Sakkinen
2026-07-03 11:08 ` Tao Liu
2026-07-01 12:06 ` Pratyush Yadav
2026-07-03 10:59 ` Tao Liu
2026-07-01 6:00 ` Markus Elfring
2026-07-03 11:11 ` Tao Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=akSOb1_1tcJvFyda@kernel.org \
--to=jarkko@kernel.org \
--cc=Markus.Elfring@web.de \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=bhe@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=kexec@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=ltao@redhat.com \
--cc=palmer@dabbelt.com \
--cc=pjw@kernel.org \
--cc=pratyush@kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox