[PATCH] pstore/ram: fix buffer overflow in persistent_ram_save_old()

[PATCH] pstore/ram: fix buffer overflow in persistent_ram_save_old()

[Sai Ritvik Tanksalkar]

persistent_ram_save_old() can be called multiple times for the same
persistent_ram_zone (e.g., via ramoops_pstore_read -> ramoops_get_next_prz
for PSTORE_TYPE_DMESG records).

Currently, the function only allocates prz->old_log when it is NULL,
but it unconditionally updates prz->old_log_size to the current buffer
size and then performs memcpy_fromio() using this new size. If the
buffer size has grown since the first allocation (which can happen
across different kernel boot cycles), this leads to:

1. A heap buffer overflow (OOB write) in the memcpy_fromio() calls.
2. A subsequent OOB read when ramoops_pstore_read() accesses the buffer
   using the incorrect (larger) old_log_size.

The KASAN splat would look similar to:
  BUG: KASAN: slab-out-of-bounds in ramoops_pstore_read+0x...
  Read of size N at addr ... by task ...

Fix this by freeing and reallocating the buffer when the new size
exceeds the previously allocated size. This ensures old_log always has
sufficient space for the data being copied.

Fixes: 201e4aca5aa1 ("pstore/ram: Should update old dmesg buffer before reading")
Cc: stable@vger.kernel.org
Signed-off-by: Pwnverse <stanksal@purdue.edu>
---
 fs/pstore/ram_core.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
index f1848cdd6d34..8df813a42a41 100644
--- a/fs/pstore/ram_core.c
+++ b/fs/pstore/ram_core.c
@@ -298,6 +298,14 @@ void persistent_ram_save_old(struct persistent_ram_zone *prz)
     if (!size)
         return;
 
+     /*
+      * If the existing buffer is too small, free it so a new one is
+      * allocated. This can happen when persistent_ram_save_old() is
+      * called multiple times with different buffer sizes.
+      */
+     if (prz->old_log && prz->old_log_size < size)
+           persistent_ram_free_old(prz);
+
     if (!prz->old_log) {
         persistent_ram_ecc_old(prz);
         prz->old_log = kvzalloc(size, GFP_KERNEL);
-- 
2.43.0

Re: [PATCH] pstore/ram: fix buffer overflow in persistent_ram_save_old()

[gregkh]

On Sun, Feb 01, 2026 at 12:59:24PM +0000, Sai Ritvik Tanksalkar wrote:
> persistent_ram_save_old() can be called multiple times for the same
> persistent_ram_zone (e.g., via ramoops_pstore_read -> ramoops_get_next_prz
> for PSTORE_TYPE_DMESG records).
> 
> Currently, the function only allocates prz->old_log when it is NULL,
> but it unconditionally updates prz->old_log_size to the current buffer
> size and then performs memcpy_fromio() using this new size. If the
> buffer size has grown since the first allocation (which can happen
> across different kernel boot cycles), this leads to:
> 
> 1. A heap buffer overflow (OOB write) in the memcpy_fromio() calls.
> 2. A subsequent OOB read when ramoops_pstore_read() accesses the buffer
>    using the incorrect (larger) old_log_size.
> 
> The KASAN splat would look similar to:
>   BUG: KASAN: slab-out-of-bounds in ramoops_pstore_read+0x...
>   Read of size N at addr ... by task ...
> 
> Fix this by freeing and reallocating the buffer when the new size
> exceeds the previously allocated size. This ensures old_log always has
> sufficient space for the data being copied.
> 
> Fixes: 201e4aca5aa1 ("pstore/ram: Should update old dmesg buffer before reading")
> Cc: stable@vger.kernel.org
> Signed-off-by: Pwnverse <stanksal@purdue.edu>
> ---
>  fs/pstore/ram_core.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
> index f1848cdd6d34..8df813a42a41 100644
> --- a/fs/pstore/ram_core.c
> +++ b/fs/pstore/ram_core.c
> @@ -298,6 +298,14 @@ void persistent_ram_save_old(struct persistent_ram_zone *prz)
>      if (!size)
>          return;
>  
> +     /*
> +      * If the existing buffer is too small, free it so a new one is
> +      * allocated. This can happen when persistent_ram_save_old() is
> +      * called multiple times with different buffer sizes.
> +      */
> +     if (prz->old_log && prz->old_log_size < size)
> +           persistent_ram_free_old(prz);
> +
>      if (!prz->old_log) {
>          persistent_ram_ecc_old(prz);
>          prz->old_log = kvzalloc(size, GFP_KERNEL);
> -- 
> 2.43.0

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- Your patch is malformed (tabs converted to spaces, linewrapped, etc.)
  and can not be applied.  Please read the file,
  Documentation/process/email-clients.rst in order to fix this.

- It looks like you did not use your "real" name for the patch on either
  the Signed-off-by: line, or the From: line (both of which have to
  match).  Please read the kernel file,
  Documentation/process/submitting-patches.rst for how to do this
  correctly.

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

[PATCH v2] pstore/ram: fix buffer overflow in persistent_ram_save_old()

[Pwnverse]

From: Sai Ritvik Tanksalkar <stanksal@purdue.edu>

persistent_ram_save_old() can be called multiple times for the same
persistent_ram_zone (e.g., via ramoops_pstore_read -> ramoops_get_next_prz
for PSTORE_TYPE_DMESG records).

Currently, the function only allocates prz->old_log when it is NULL,
but it unconditionally updates prz->old_log_size to the current buffer
size and then performs memcpy_fromio() using this new size. If the
buffer size has grown since the first allocation (which can happen
across different kernel boot cycles), this leads to:

1. A heap buffer overflow (OOB write) in the memcpy_fromio() calls
2. A subsequent OOB read when ramoops_pstore_read() accesses the buffer
   using the incorrect (larger) old_log_size

The KASAN splat would look similar to:
  BUG: KASAN: slab-out-of-bounds in ramoops_pstore_read+0x...
  Read of size N at addr ... by task ...

Fix this by freeing and reallocating the buffer when the new size
exceeds the previously allocated size. This ensures old_log always has
sufficient space for the data being copied.

Fixes: 201e4aca5aa1 ("pstore/ram: Should update old dmesg buffer before reading")
Cc: stable@vger.kernel.org
Signed-off-by: Sai Ritvik Tanksalkar <stanksal@purdue.edu>
---
v2: Fixed Signed-off-by to use real name (was using Github ID).
    Resending with proper mail client to preserve tabs.

 fs/pstore/ram_core.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
index f1848cdd6d34..8df813a42a41 100644
--- a/fs/pstore/ram_core.c
+++ b/fs/pstore/ram_core.c
@@ -298,6 +298,14 @@ void persistent_ram_save_old(struct persistent_ram_zone *prz)
 	if (!size)
 		return;
 
+	/*
+	 * If the existing buffer is too small, free it so a new one is
+	 * allocated. This can happen when persistent_ram_save_old() is
+	 * called multiple times with different buffer sizes.
+	 */
+	if (prz->old_log && prz->old_log_size < size)
+		persistent_ram_free_old(prz);
+
 	if (!prz->old_log) {
 		persistent_ram_ecc_old(prz);
 		prz->old_log = kvzalloc(size, GFP_KERNEL);
-- 
2.43.0

Re: [PATCH] pstore/ram: fix buffer overflow in persistent_ram_save_old()

[Kees Cook]

On Sat, Jan 31, 2026 at 02:49:20PM +0000, Sai Ritvik Tanksalkar wrote:
> persistent_ram_save_old() can be called multiple times for the same
> persistent_ram_zone (e.g., via ramoops_pstore_read -> ramoops_get_next_prz
> for PSTORE_TYPE_DMESG records).

Thanks for the report!

> Currently, the function only allocates prz->old_log when it is NULL,
> but it unconditionally updates prz->old_log_size to the current buffer
> size and then performs memcpy_fromio() using this new size. If the
> buffer size has grown since the first allocation (which can happen
> across different kernel boot cycles), this leads to:
> 
> 1. A heap buffer overflow (OOB write) in the memcpy_fromio() calls.
> 2. A subsequent OOB read when ramoops_pstore_read() accesses the buffer
>    using the incorrect (larger) old_log_size.
> 
> The KASAN splat would look similar to:
>   BUG: KASAN: slab-out-of-bounds in ramoops_pstore_read+0x...
>   Read of size N at addr ... by task ...

"would look"? Have you confirmed this for a real scenario? It seems like
an extreme corner case that should be almost impossible to hit in
practice:

  0. Crash with a ramoops write of less-than-record-max-size bytes.
  1. Reboot: ramoops registers, pstore_get_records(0) reads old crash,
     allocates old_log with size X
  2. Crash handler registered, timer started (if pstore_update_ms >= 0)
  3. Oops happens (non-fatal, system continues)
  4. pstore_dump() writes oops via ramoops_pstore_write() size Y (>X)
  5. pstore_new_entry = 1, pstore_timer_kick() called
  6. System continues running (not a panic oops)
  7. Timer fires after pstore_update_ms milliseconds
  8. pstore_timefunc() → schedule_work() → pstore_dowork() → pstore_get_records(1)
  9. ramoops_get_next_prz() → persistent_ram_save_old()
 10. buffer_size() returns Y, but old_log is X bytes
 11. Y > X: memcpy_fromio() overflows heap

  Requirements:
  - a prior crash record exists that did not fill the record size
    (almost impossible since the crash handler writes as much as it
    can possibly fit into the record, capped by max record size and
    the kmsg buffer almost always exceeds the max record size)
  - pstore_update_ms >= 0 (disabled by default)
  - Non-fatal oops (system survives)

So, yes, this is technically possible, but very very hard to do. :)
Unless you see another way?

> Fix this by freeing and reallocating the buffer when the new size
> exceeds the previously allocated size. This ensures old_log always has
> sufficient space for the data being copied.
> 
> Fixes: 201e4aca5aa1 ("pstore/ram: Should update old dmesg buffer before reading")
> Cc: stable@vger.kernel.org
> Signed-off-by: Pwnverse <stanksal@purdue.edu>
> ---
>  fs/pstore/ram_core.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
> index f1848cdd6d34..8df813a42a41 100644
> --- a/fs/pstore/ram_core.c
> +++ b/fs/pstore/ram_core.c
> @@ -298,6 +298,14 @@ void persistent_ram_save_old(struct persistent_ram_zone *prz)
>      if (!size)
>          return;
> 
> +     /*
> +      * If the existing buffer is too small, free it so a new one is
> +      * allocated. This can happen when persistent_ram_save_old() is
> +      * called multiple times with different buffer sizes.
> +      */
> +     if (prz->old_log && prz->old_log_size < size)

This should be "!=", I think? Just to deal with leaving old data in if
the size _shrinks_ too?

> +           persistent_ram_free_old(prz);
> +
>      if (!prz->old_log) {
>          persistent_ram_ecc_old(prz);
>          prz->old_log = kvzalloc(size, GFP_KERNEL);
> --
> 2.43.0

-- 
Kees Cook