From: Jinjie Ruan <ruanjinjie@huawei.com>
To: <corbet@lwn.net>, <skhan@linuxfoundation.org>,
<catalin.marinas@arm.com>, <will@kernel.org>,
<chenhuacai@kernel.org>, <kernel@xen0n.name>,
<maddy@linux.ibm.com>, <mpe@ellerman.id.au>, <npiggin@gmail.com>,
<chleroy@kernel.org>, <pjw@kernel.org>, <palmer@dabbelt.com>,
<aou@eecs.berkeley.edu>, <alex@ghiti.fr>, <tglx@kernel.org>,
<mingo@redhat.com>, <bp@alien8.de>, <dave.hansen@linux.intel.com>,
<hpa@zytor.com>, <robh@kernel.org>, <saravanak@kernel.org>,
<akpm@linux-foundation.org>, <bhe@redhat.com>,
<vgoyal@redhat.com>, <dyoung@redhat.com>, <rdunlap@infradead.org>,
<peterz@infradead.org>, <pawan.kumar.gupta@linux.intel.com>,
<feng.tang@linux.alibaba.com>, <dapeng1.mi@linux.intel.com>,
<kees@kernel.org>, <elver@google.com>, <paulmck@kernel.org>,
<lirongqing@baidu.com>, <rppt@kernel.org>, <leitao@debian.org>,
<ardb@kernel.org>, <jbohac@suse.cz>, <cfsworks@gmail.com>,
<tangyouling@kylinos.cn>, <sourabhjain@linux.ibm.com>,
<ritesh.list@gmail.com>, <hbathini@linux.ibm.com>,
<eajames@linux.ibm.com>, <guoren@kernel.org>,
<songshuaishuai@tinylab.org>, <kevin.brodsky@arm.com>,
<vishal.moola@gmail.com>, <junhui.liu@pigmoral.tech>,
<coxu@redhat.com>, <fuqiang.wang@easystack.cn>,
<liaoyuanhong@vivo.com>, <takahiro.akashi@linaro.org>,
<james.morse@arm.com>, <lizhengyu3@huawei.com>, <x86@kernel.org>,
<linux-doc@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<linux-arm-kernel@lists.infradead.org>,
<loongarch@lists.linux.dev>, <linuxppc-dev@lists.ozlabs.org>,
<linux-riscv@lists.infradead.org>, <devicetree@vger.kernel.org>,
<kexec@lists.infradead.org>
Cc: <ruanjinjie@huawei.com>
Subject: [PATCH v12 06/15] LoongArch: kexec: Fix potential buffer overflow in prepare_elf_headers()
Date: Thu, 2 Apr 2026 15:26:52 +0800 [thread overview]
Message-ID: <20260402072701.628293-7-ruanjinjie@huawei.com> (raw)
In-Reply-To: <20260402072701.628293-1-ruanjinjie@huawei.com>
There is a race condition between the kexec_load() system call
(crash kernel loading path) and memory hotplug operations that can lead
to buffer overflow and potential kernel crash.
During prepare_elf_headers(), the following steps occur:
1. The first for_each_mem_range() queries current System RAM memory ranges
2. Allocates buffer based on queried count
3. The 2st for_each_mem_range() populates ranges from memblock
If memory hotplug occurs between step 1 and step 3, the number of ranges
can increase, causing out-of-bounds write when populating cmem->ranges[].
This happens because kexec_load() uses kexec_trylock (atomic_t) while
memory hotplug uses device_hotplug_lock (mutex), so they don't serialize
with each other.
Just add bounds checking to prevent out-of-bounds access.
Cc: Youling Tang <tangyouling@kylinos.cn>
Cc: Huacai Chen <chenhuacai@loongson.cn>
Fixes: 1bcca8620a91 ("LoongArch: Add crash dump support for kexec_file")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
---
arch/loongarch/kernel/machine_kexec_file.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/loongarch/kernel/machine_kexec_file.c b/arch/loongarch/kernel/machine_kexec_file.c
index 5584b798ba46..167392c1da33 100644
--- a/arch/loongarch/kernel/machine_kexec_file.c
+++ b/arch/loongarch/kernel/machine_kexec_file.c
@@ -75,6 +75,11 @@ static int prepare_elf_headers(void **addr, unsigned long *sz)
cmem->max_nr_ranges = nr_ranges;
cmem->nr_ranges = 0;
for_each_mem_range(i, &start, &end) {
+ if (cmem->nr_ranges >= cmem->max_nr_ranges) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
cmem->ranges[cmem->nr_ranges].start = start;
cmem->ranges[cmem->nr_ranges].end = end - 1;
cmem->nr_ranges++;
--
2.34.1
next prev parent reply other threads:[~2026-04-02 7:26 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 7:26 [PATCH v12 00/15] arm64/riscv: Add support for crashkernel CMA reservation Jinjie Ruan
2026-04-02 7:26 ` [PATCH v12 01/15] riscv: kexec_file: Fix crashk_low_res not exclude bug Jinjie Ruan
2026-04-02 7:26 ` [PATCH v12 02/15] powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr() Jinjie Ruan
2026-04-02 10:57 ` Sourabh Jain
2026-04-02 7:26 ` [PATCH v12 03/15] x86/kexec: Fix potential buffer overflow in prepare_elf_headers() Jinjie Ruan
2026-04-02 7:26 ` [PATCH v12 04/15] arm64: kexec_file: " Jinjie Ruan
2026-04-02 7:26 ` [PATCH v12 05/15] riscv: " Jinjie Ruan
2026-04-02 7:26 ` Jinjie Ruan [this message]
2026-04-02 7:26 ` [PATCH v12 07/15] powerpc/crash: sort crash memory ranges before preparing elfcorehdr Jinjie Ruan
2026-04-02 7:26 ` [PATCH v12 08/15] crash: Add crash_prepare_headers() to exclude crash kernel memory Jinjie Ruan
2026-04-02 7:26 ` [PATCH v12 09/15] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code Jinjie Ruan
2026-04-02 7:26 ` [PATCH v12 10/15] x86/kexec: " Jinjie Ruan
2026-04-02 7:26 ` [PATCH v12 11/15] riscv: kexec_file: " Jinjie Ruan
2026-04-02 7:26 ` [PATCH v12 12/15] LoongArch: kexec: " Jinjie Ruan
2026-04-02 7:26 ` [PATCH v12 13/15] crash: Use crash_exclude_core_ranges() on powerpc Jinjie Ruan
2026-04-02 7:27 ` [PATCH v12 14/15] arm64: kexec: Add support for crashkernel CMA reservation Jinjie Ruan
2026-04-02 7:27 ` [PATCH v12 15/15] riscv: " Jinjie Ruan
2026-04-02 11:31 ` [PATCH v12 00/15] arm64/riscv: " Borislav Petkov
2026-04-02 11:47 ` Jinjie Ruan
2026-04-02 13:36 ` Borislav Petkov
2026-04-03 9:14 ` Jinjie Ruan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260402072701.628293-7-ruanjinjie@huawei.com \
--to=ruanjinjie@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=ardb@kernel.org \
--cc=bhe@redhat.com \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=cfsworks@gmail.com \
--cc=chenhuacai@kernel.org \
--cc=chleroy@kernel.org \
--cc=corbet@lwn.net \
--cc=coxu@redhat.com \
--cc=dapeng1.mi@linux.intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=devicetree@vger.kernel.org \
--cc=dyoung@redhat.com \
--cc=eajames@linux.ibm.com \
--cc=elver@google.com \
--cc=feng.tang@linux.alibaba.com \
--cc=fuqiang.wang@easystack.cn \
--cc=guoren@kernel.org \
--cc=hbathini@linux.ibm.com \
--cc=hpa@zytor.com \
--cc=james.morse@arm.com \
--cc=jbohac@suse.cz \
--cc=junhui.liu@pigmoral.tech \
--cc=kees@kernel.org \
--cc=kernel@xen0n.name \
--cc=kevin.brodsky@arm.com \
--cc=kexec@lists.infradead.org \
--cc=leitao@debian.org \
--cc=liaoyuanhong@vivo.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=lirongqing@baidu.com \
--cc=lizhengyu3@huawei.com \
--cc=loongarch@lists.linux.dev \
--cc=maddy@linux.ibm.com \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=npiggin@gmail.com \
--cc=palmer@dabbelt.com \
--cc=paulmck@kernel.org \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=peterz@infradead.org \
--cc=pjw@kernel.org \
--cc=rdunlap@infradead.org \
--cc=ritesh.list@gmail.com \
--cc=robh@kernel.org \
--cc=rppt@kernel.org \
--cc=saravanak@kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=songshuaishuai@tinylab.org \
--cc=sourabhjain@linux.ibm.com \
--cc=takahiro.akashi@linaro.org \
--cc=tangyouling@kylinos.cn \
--cc=tglx@kernel.org \
--cc=vgoyal@redhat.com \
--cc=vishal.moola@gmail.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox