From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8714C30E834
	for <linux-kernel@vger.kernel.org>; Fri,  1 May 2026 23:44:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.172
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777679051; cv=none; b=Uqp7OBIGt4MIfWANBqE7fGKN4HxnaPSLPNZX/Inur2I1sFFLUW2ybLwB1MlaAMZ3D9erWJnZ89hSyiItag0bXl/sqXOVvztfMA+tleKZchSyoRMhT888twfzvww1Lli5wp4oyDvQtH68A6sxiHRgbB2FvRw4tLWBLjKsZERADO0=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777679051; c=relaxed/simple;
	bh=2RTqToefF9skCQEwlLfsIL9dOuvB+3+hy3KvMjBvCsM=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=D6jnUVfffHwmuYBnQJ2ypBCuNMdl0h5/kZMT9CN93ehzB19lEx54tfJ/QvLmwa7eYxsyAYd9aDTczWY9YXlIsFSO/tsgK1pfhcewg5pPcNJr8+BqnMx34SADbJGvIi0l+er5y4amREHf/fM+A78l3hP2YVJvi3pfMG9HwXQRE04=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Ki2EWxIO; arc=none smtp.client-ip=209.85.214.172
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Ki2EWxIO"
Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2b25cf1b5f0so12827955ad.3
        for <linux-kernel@vger.kernel.org>; Fri, 01 May 2026 16:44:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777679050; x=1778283850; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=isFMffa6fJYWa8WRwMnFwL6A7a7hUVq61Jbed7g/xXE=;
        b=Ki2EWxIO6h8nQGoKzt9MdB5+Mm/aCSpwNhwBETmPsYqEnw0ZDpBAOso+upHrg/2/MM
         nOjO+ESVKfwlgMSBvQz/prEe/IbKPTIbroPjcDxdJg9kUT6rgcgCiuUCKm2ggpI1Xzss
         NAXFPOWZCya/drj4UCFewoyx8CB+c2fKEio0IdDrXjQPRs0LyES70hv0QbyN8O5Pu73J
         9SprLOPZxxgfl906q29KYaz1MQLiM7e6TBATHI+ov5sIt/8TGChtG76UEUxnCio8YlXX
         yXsUXKPzatwejZKrKd5A8uFsaLBKQl4FPz3f4FREPa3aTiJjKjQoHm/4DWo9l5brqoNF
         bA6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777679050; x=1778283850;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=isFMffa6fJYWa8WRwMnFwL6A7a7hUVq61Jbed7g/xXE=;
        b=EYLvAA0LQfLfWjy20rAwRdiEe+VAqcmK0yYHL1lI34o4v1pZupwbugPqYbtL2DXlk4
         QtphGjv2tivxo63dMVqeOJltt6jF0m01XgYp2RbXI3cCFXWvfBkd8PtMkNfnKnZQVYlQ
         dgeg2sDylto1nG+Cd+n27aP5vIFnjNtYpw6mV8JQtezWjN8sKQgET2ddNn9Nepxqp3Vi
         S5ua203dszEy7tnm+8detde932Q9ujF525X2FYCC2JPw4nCbx/xvwCiE5AS+qGFqhLgl
         5bKQv8dBvlUq5GVTghR/xS2tDLN9UJkpJ/TUtCtK3JUSGjJCeKQqBcH4JDqDd63dvy0Q
         Bpqg==
X-Forwarded-Encrypted: i=1; AFNElJ9IH52Vd2+UMXDW0GgqxAJ2BORoRWeUAayf14FeTMT3QtgbmrxF79UB9VUdqNCwO4BEwJAmLLkgvGYWCL4=@vger.kernel.org
X-Gm-Message-State: AOJu0Yztacc7fNsw2gTzO+YdSmAs50WmIR3mkcIjcJHYm+8CR6EHfyFw
	lB1zgXdam5/inqE7Pzr0yX3yGpVsy4ivlyiCx0v0nhvw9K57+SO6FwpN
X-Gm-Gg: AeBDievcIGxFielgQr1Kan1VozFXMPA8FnfUzDAtqNA4gt+e8KKDo82WVVD9lLL9hHW
	SBaLWO3jaObNsZEAzsYCh9j/LPt64bJ9neWu2bYmDcXo9ZTUoWjwYoB3EPvqgQIP6G2HoHnoIIY
	AuFachZtXJy4pR53a56PI5HcsSzyb8mPKyRjy9gn63IpTGnVjAyDDbxqTkZfI9hRJLlkrlxdKRh
	G9GAkWCMo5QVoDzGQhgf6nYrqVSC1v8xXhLVEQClvUwjb/+WoVjjTF1h/E9sdnOXLKLtmdglYe3
	Ug63m1qxe3N90ACtVgxvQlzLmVxUv6E4tj4bS/NQQ3jVfMPnRw+sqZDurDX/CJTKKpu0LnUfAyv
	0jbX8SlMnfidRSZg46CVbRsdGgOwueX0foiPgYcssrdbOvFBHo7bgT3tYJY2efspiOD4KRzjoCd
	hcUzlFYIs8/sR0WIkj0zY3PjFtoI3Geg==
X-Received: by 2002:a17:903:1cd:b0:2b2:4a9a:b149 with SMTP id d9443c01a7336-2b9f25653abmr12012465ad.9.1777679049811;
        Fri, 01 May 2026 16:44:09 -0700 (PDT)
Received: from localhost ([121.237.249.41])
        by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b9cae11939sm33752105ad.49.2026.05.01.16.44.07
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 01 May 2026 16:44:09 -0700 (PDT)
From: Coiby Xu <coiby.xu@gmail.com>
To: kexec@lists.infradead.org
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Sourabh Jain <sourabhjain@linux.ibm.com>,
	Baoquan He <baoquan.he@linux.dev>,
	Dave Young <ruirui.yang@linux.dev>,
	Mike Rapoport <rppt@kernel.org>,
	Pasha Tatashin <pasha.tatashin@soleen.com>,
	Pratyush Yadav <pratyush@kernel.org>,
	Coiby Xu <coxu@redhat.com>,
	linux-kernel@vger.kernel.org (open list)
Subject: [PATCH v2 2/9] crash_dump: Fix potential double free and UAF of keys_header
Date: Sat,  2 May 2026 07:43:31 +0800
Message-ID: <20260501234342.2518281-3-coiby.xu@gmail.com>
X-Mailer: git-send-email 2.54.0
In-Reply-To: <20260501234342.2518281-1-coiby.xu@gmail.com>
References: <20260501234342.2518281-1-coiby.xu@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

If kexec_add_buffer somehow fails, keys_header will be freed. Depending
on /sys/kernel/config/crash_dm_crypt_key/reuse, it will lead to the
following two problems if the kexec_file_load syscall is called again,
  1. Double free of keys_header if reuse=false
  2. UAF of keys_header if reuse=true

To address these problems and also make it easier to reason about the
code, keep two invariants,
  1. keys_header will always be freed at the end of kexec_file_load
     syscall except during kdump image unloading for CPU/memory
     hot-plugging support
  2. There will always be valid keys_header if reuse=true

Fixes: 479e58549b0f ("crash_dump: store dm crypt keys in kdump reserved memory")
Fixes: 9ebfa8dcaea7 ("crash_dump: reuse saved dm crypt keys for CPU/memory hot-plugging")
Reported-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
---
 include/linux/kexec.h        |  6 ++++
 kernel/crash_dump_dm_crypt.c | 65 ++++++++++++++++++++++++++----------
 kernel/kexec_file.c          |  2 ++
 3 files changed, 56 insertions(+), 17 deletions(-)

diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 8a22bc9b8c6c..91256d7ff434 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -552,6 +552,12 @@ void set_kexec_sig_enforced(void);
 static inline void set_kexec_sig_enforced(void) {}
 #endif
 
+#ifdef CONFIG_CRASH_DM_CRYPT
+void kexec_file_post_load_cleanup_dm_crypt(struct kimage *image);
+#else
+static inline void kexec_file_post_load_cleanup_dm_crypt(struct kimage *image) {}
+#endif
+
 #endif /* !defined(__ASSEBMLY__) */
 
 #endif /* LINUX_KEXEC_H */
diff --git a/kernel/crash_dump_dm_crypt.c b/kernel/crash_dump_dm_crypt.c
index eac4f436a8d4..4d8a3331bbe7 100644
--- a/kernel/crash_dump_dm_crypt.c
+++ b/kernel/crash_dump_dm_crypt.c
@@ -84,18 +84,25 @@ static int add_key_to_keyring(struct dm_crypt_key *dm_key,
 	return r;
 }
 
-static void get_keys_from_kdump_reserved_memory(void)
+static int get_keys_from_kdump_reserved_memory(void)
 {
 	struct keys_header *keys_header_loaded;
+	size_t keys_header_size;
 
-	arch_kexec_unprotect_crashkres();
+	keys_header_size = get_keys_header_size(key_count);
+	keys_header = kzalloc(keys_header_size, GFP_KERNEL);
+	if (!keys_header)
+		return -ENOMEM;
 
+	arch_kexec_unprotect_crashkres();
 	keys_header_loaded = kmap_local_page(pfn_to_page(
 		kexec_crash_image->dm_crypt_keys_addr >> PAGE_SHIFT));
 
-	memcpy(keys_header, keys_header_loaded, get_keys_header_size(key_count));
+	memcpy(keys_header, keys_header_loaded, keys_header_size);
 	kunmap_local(keys_header_loaded);
 	arch_kexec_protect_crashkres();
+
+	return 0;
 }
 
 static int restore_dm_crypt_keys_to_thread_keyring(void)
@@ -283,17 +290,28 @@ static ssize_t config_keys_reuse_show(struct config_item *item, char *page)
 static ssize_t config_keys_reuse_store(struct config_item *item,
 					   const char *page, size_t count)
 {
+	bool val;
+	int r;
+
 	if (!kexec_crash_image || !kexec_crash_image->dm_crypt_keys_addr) {
 		kexec_dprintk(
 			"dm-crypt keys haven't be saved to crash-reserved memory\n");
 		return -EINVAL;
 	}
 
-	if (kstrtobool(page, &is_dm_key_reused))
+	if (kstrtobool(page, &val) || !val)
 		return -EINVAL;
 
-	if (is_dm_key_reused)
-		get_keys_from_kdump_reserved_memory();
+	if (is_dm_key_reused) {
+		pr_info("Already got dm-crypt keys, please continue with kexec_file_load syscall\n");
+	} else {
+		r = get_keys_from_kdump_reserved_memory();
+		if (r) {
+			pr_warn("Failed to get dm-crypt keys from reserved memory\n");
+			return r;
+		}
+		is_dm_key_reused = true;
+	}
 
 	return count;
 }
@@ -366,9 +384,6 @@ static int build_keys_header(void)
 	struct config_key *key;
 	int i, r;
 
-	if (keys_header != NULL)
-		kvfree(keys_header);
-
 	keys_header = kzalloc(get_keys_header_size(key_count), GFP_KERNEL);
 	if (!keys_header)
 		return -ENOMEM;
@@ -412,7 +427,7 @@ int crash_load_dm_crypt_keys(struct kimage *image)
 		.top_down = false,
 		.random = true,
 	};
-	int r;
+	int r = 0;
 
 
 	if (key_count <= 0) {
@@ -421,14 +436,15 @@ int crash_load_dm_crypt_keys(struct kimage *image)
 	}
 
 	if (!is_dm_key_reused) {
-		image->dm_crypt_keys_addr = 0;
 		r = build_keys_header();
-		if (r) {
-			pr_err("Failed to build dm-crypt keys header, ret=%d\n", r);
-			return r;
-		}
+		if (r)
+			goto out;
 	}
 
+	/*
+	 * keys_header will be copied to reserver memory later and then be
+	 * cleaned up at the end of kexec_file_load syscall
+	 */
 	kbuf.buffer = keys_header;
 	kbuf.bufsz = get_keys_header_size(key_count);
 
@@ -438,18 +454,33 @@ int crash_load_dm_crypt_keys(struct kimage *image)
 	r = kexec_add_buffer(&kbuf);
 	if (r) {
 		pr_err("Failed to call kexec_add_buffer, ret=%d\n", r);
-		kvfree((void *)kbuf.buffer);
-		return r;
+		goto out;
 	}
+
 	image->dm_crypt_keys_addr = kbuf.mem;
 	image->dm_crypt_keys_sz = kbuf.bufsz;
 	kexec_dprintk(
 		"Loaded dm crypt keys to kexec_buffer bufsz=0x%lx memsz=0x%lx\n",
 		kbuf.bufsz, kbuf.memsz);
 
+out:
+	is_dm_key_reused = false;
 	return r;
 }
 
+void kexec_file_post_load_cleanup_dm_crypt(struct kimage *image)
+{
+	/*
+	 * For CPU/memory hot-plugging, the kdump image will be reloaded. Prevent
+	 * keys_header from being cleaned up during unloading when
+	 * is_dm_key_reused=true
+	 */
+	if (!is_dm_key_reused) {
+		kfree_sensitive(keys_header);
+		keys_header = NULL;
+	}
+}
+
 static int __init configfs_dmcrypt_keys_init(void)
 {
 	int ret;
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 2bfbb2d144e6..0421f1e89791 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -139,6 +139,8 @@ void kimage_file_post_load_cleanup(struct kimage *image)
 	kfree(image->image_loader_data);
 	image->image_loader_data = NULL;
 
+	kexec_file_post_load_cleanup_dm_crypt(image);
+
 	kexec_file_dbg_print = false;
 }
 
-- 
2.54.0