The Linux Kernel Mailing List
 help / color / mirror / Atom feed
From: Jarkko Sakkinen <jarkko@kernel.org>
To: Tao Liu <ltao@redhat.com>
Cc: pjw@kernel.org, palmer@dabbelt.com, aou@eecs.berkeley.edu,
	alex@ghiti.fr, linux-riscv@lists.infradead.org,
	linux-kernel@vger.kernel.org, kexec@lists.infradead.org,
	bhe@redhat.com, zohar@linux.ibm.com, roberto.sassu@huawei.com,
	dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com,
	linux-integrity@vger.kernel.org, pratyush@kernel.org,
	Markus.Elfring@web.de, kernel-janitors@vger.kernel.org
Subject: Re: [PATCH v3] riscv: Fix a NULL pointer dereference in machine_kexec_prepare
Date: Wed, 1 Jul 2026 13:34:05 +0300	[thread overview]
Message-ID: <akTsE_jYq-GtXcpF@kernel.org> (raw)
In-Reply-To: <CAO7dBbVftLUhd2qrh7hmijTB3PEPfZAhykCGqEfrPoOcSrrj-w@mail.gmail.com>

On Wed, Jul 01, 2026 at 04:58:09PM +1200, Tao Liu wrote:
> Hi Jarkko,
> 
> On Wed, Jul 1, 2026 at 3:50 PM Jarkko Sakkinen <jarkko@kernel.org> wrote:
> >
> > On Wed, Jul 01, 2026 at 02:57:33PM +1200, Tao Liu wrote:
> > > A NULL pointer dereference issue is noticed in riscv's machine_kexec_prepare,
> > > where image->segment[i].buf might be NULL and copied unchecked.
> > >
> > > The NULL buf comes from security/integrity/ima/ima_kexec.c:
> > > ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(),
> > > but kbuf.buffer is NULL
> >
> > This should have a proper call sequence. Now the root cause is
> > obfuscated.
> 
> Sure, I will attach the stack trace in v4. Here is the one:
> 
> [   62.867540] kexec_file(Image): Loaded kernel at 0x80200000
> bufsz=0x34ed800 memsz=0x35d0000
> [   62.879983] Unable to handle kernel access to user memory without
> uaccess routines at virtual address 0000000000000000
> [   62.880736] Current kexec pgtable: 4K pagesize, 57-bit VAs,
> pgdp=0x00000001062eb000
> [   62.881185] [0000000000000000] pgd=00000000413b4401,
> p4d=000000004151bc01, pud=00000000415b7801, pmd=0000000040af5801,
> pte=0000000000000000
> [   62.881969] Oops [#1]
> [   62.882077] Modules linked in:
> [   62.882717] CPU: 1 UID: 0 PID: 894 Comm: kexec Not tainted 7.1.1 #4
> PREEMPT(lazy)
> [   62.883037] Hardware name: QEMU QEMU Virtual Machine, BIOS
> edk2-20260508-2.fc44 05/08/2026
> [   62.883365] epc : __memcpy+0xd4/0xf8
> [   62.883685]  ra : machine_kexec_prepare+0x8a/0x298
> [   62.883914] epc : ffffffff81393ee8 ra : ffffffff800366ca sp :
> ff20000004a83d10
> [   62.884214]  gp : ffffffff83258db8 tp : ff6000008573db80 t0 :
> ffffffff80033640
> [   62.884433]  t1 : 2152ffffffffffc0 t2 : 0000000003000000 s0 :
> ff20000004a83d80
> [   62.884710]  s1 : 0000000000000000 a0 : ff20000004a83d10 a1 :
> 0000000000000000
> [   62.884987]  a2 : 0000000000000028 a3 : 0000000000000028 a4 :
> 0000000000000000
> [   62.885208]  a5 : 0000000000000000 a6 : 0000000104e33fff a7 :
> 0000000000000000
> [   62.885486]  s2 : ff60000082a35800 s3 : 0000000000000000 s4 :
> 0000000000000010
> [   62.885774]  s5 : 0000000000000028 s6 : ff20000004a83d10 s7 :
> 0000000000000005
> [   62.886005]  s8 : 00000000000000c0 s9 : 000000000ac0d220 s10:
> ffffffff835420e8
> [   62.886218]  s11: 0000000000000000 t3 : ffffff800000007c t4 :
> ff1c000002138d00
> [   62.886515]  t5 : ffffffffffffffff t6 : ff20000004a83d10 ssp :
> 0000000000000000
> [   62.886860] status: 0000000200000120 badaddr: 0000000000000000
> cause: 000000000000000d
> [   62.887162] [<ffffffff81393ee8>] __memcpy+0xd4/0xf8
> [   62.887388] [<ffffffff801b253a>] __do_sys_kexec_file_load+0x1b2/0x338
> [   62.887612] [<ffffffff801b26e4>] __riscv_sys_kexec_file_load+0x24/0x40
> [   62.887855] [<ffffffff81395ea4>] do_trap_ecall_u+0x1a4/0x5a8
> [   62.888134] [<ffffffff813a9eec>] handle_exception+0x16c/0x178
> [   62.888445] Code: 7613 07f6 ca05 86b3 00c5 e7b3 01f5 8fd5 8b8d eb89
> (4198) 0591
> [   62.889223] ---[ end trace 0000000000000000 ]---
> Segmentation fault         kexec -l /boot/vmlinuz-7.1.1
> --initrd=/boot/initramfs-7.1.1.img --reuse-cmdline
> 
> (gdb) p image->segment[0]
> $3 = {{buf = 0x0, kbuf = 0x0}, bufsz = 0, mem = 10737586176, memsz = 4096}
> 
> The buf = 0x0 and bufsz = 0 comes from ima_add_kexec_buffer(), thought
> I'm not sure why it added a NULL segment, but it is no harm to add a
> NULL checker here in case any other scenarios similar as IMA.

The mission oriented purpose of kernel's git log is to be a quick
checklist for bisecting bugs for instance. You have a dump of details
there for a transcript. Now you should do rationalize that because how
can you otherwise trust your own code?

Here's one recent example from me:

https://lore.kernel.org/linux-integrity/20260509185108.2681198-1-jarkko@kernel.org/

This is IMHO way more important part for a bug fix like this than the
code change itself.

It's the "engineering part" of the  equation.

> 
> >
> > >
> > > Fix this by simply adding a check before copy.
> > >
> > > Fixes: b7fb4d78a6ad ("RISC-V: use memcpy for kexec_file mode")
> > > Acked-by: Baoquan He <bhe@redhat.com>
> > > Acked-by: Pratyush Yadav <pratyush@kernel.org>
> > > Signed-off-by: Tao Liu <ltao@redhat.com>
> > > ---
> > >
> > > v3 -> v2: Add fixes tag; Replace "reference" to "dereference".
> > > link to v2: https://lore.kernel.org/linux-riscv/20260627222602.23594-2-ltao@redhat.com/
> > > link to v1: https://lore.kernel.org/linux-riscv/20260529032739.13264-2-ltao@redhat.com/
> > >
> > > ---
> > >  arch/riscv/kernel/machine_kexec.c | 7 +++++++
> > >  1 file changed, 7 insertions(+)
> > >
> > > diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c
> > > index 2306ce3e5f22..afc68f6a4aa1 100644
> > > --- a/arch/riscv/kernel/machine_kexec.c
> > > +++ b/arch/riscv/kernel/machine_kexec.c
> > > @@ -41,6 +41,13 @@ machine_kexec_prepare(struct kimage *image)
> > >               if (image->segment[i].memsz <= sizeof(fdt))
> > >                       continue;
> > >
> > > +             /*
> > > +              * Some segments (e.g. IMA) reserve space but have no buffer
> > > +              * loaded yet. Skip them as they cannot contain an FDT.
> > > +              */
> >
> > This is destined to rot over time. It also adds up also potentially to
> > the backporting effort while backporting to stable kernes. And most
> > importantly. Please, don't document every other null check.
> 
> OK, will get rid of it.

general rules of thumb i personally follow usually:

1. features/improvements: can be a bit more eager with comments
2. bugs: you really have to have rationale for having a commnet. E.g.,
   mandatory SAFETY comment in linux-rust would obviously qualify.
3. both: if you add a comment are you sure it won't rot over time?

> 
> Thanks,
> Tao Liu
> 
> >
> > > +             if (image->segment[i].buf == NULL)
> >
> > if (!image->segments[i].buf)
> >
> > > +                     continue;
> > > +
> > >               if (image->file_mode)
> > >                       memcpy(&fdt, image->segment[i].buf, sizeof(fdt));
> > >               else if (copy_from_user(&fdt, image->segment[i].buf, sizeof(fdt)))
> > > --
> > > 2.54.0
> > >
> > >
> >
> > BR, Jarkko
> >
> 

BR, Jarkko

  reply	other threads:[~2026-07-01 10:34 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01  2:57 [PATCH v3] riscv: Fix a NULL pointer dereference in machine_kexec_prepare Tao Liu
2026-07-01  3:28 ` Nutty.Liu
2026-07-01  3:50 ` Jarkko Sakkinen
2026-07-01  4:58   ` Tao Liu
2026-07-01 10:34     ` Jarkko Sakkinen [this message]
2026-07-03 11:08       ` Tao Liu
2026-07-01 12:06     ` Pratyush Yadav
2026-07-03 10:59       ` Tao Liu
2026-07-01  6:00 ` Markus Elfring
2026-07-03 11:11   ` Tao Liu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=akTsE_jYq-GtXcpF@kernel.org \
    --to=jarkko@kernel.org \
    --cc=Markus.Elfring@web.de \
    --cc=alex@ghiti.fr \
    --cc=aou@eecs.berkeley.edu \
    --cc=bhe@redhat.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=eric.snowberg@oracle.com \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=kexec@lists.infradead.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-riscv@lists.infradead.org \
    --cc=ltao@redhat.com \
    --cc=palmer@dabbelt.com \
    --cc=pjw@kernel.org \
    --cc=pratyush@kernel.org \
    --cc=roberto.sassu@huawei.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox