Re: [PATCH] pstore/ram: fix buffer overflow in persistent_ram_save_old()

[Kees Cook <kees@kernel.org>]

On Sat, Jan 31, 2026 at 02:49:20PM +0000, Sai Ritvik Tanksalkar wrote:
> persistent_ram_save_old() can be called multiple times for the same
> persistent_ram_zone (e.g., via ramoops_pstore_read -> ramoops_get_next_prz
> for PSTORE_TYPE_DMESG records).

Thanks for the report!

> Currently, the function only allocates prz->old_log when it is NULL,
> but it unconditionally updates prz->old_log_size to the current buffer
> size and then performs memcpy_fromio() using this new size. If the
> buffer size has grown since the first allocation (which can happen
> across different kernel boot cycles), this leads to:
> 
> 1. A heap buffer overflow (OOB write) in the memcpy_fromio() calls.
> 2. A subsequent OOB read when ramoops_pstore_read() accesses the buffer
>    using the incorrect (larger) old_log_size.
> 
> The KASAN splat would look similar to:
>   BUG: KASAN: slab-out-of-bounds in ramoops_pstore_read+0x...
>   Read of size N at addr ... by task ...

"would look"? Have you confirmed this for a real scenario? It seems like
an extreme corner case that should be almost impossible to hit in
practice:

  0. Crash with a ramoops write of less-than-record-max-size bytes.
  1. Reboot: ramoops registers, pstore_get_records(0) reads old crash,
     allocates old_log with size X
  2. Crash handler registered, timer started (if pstore_update_ms >= 0)
  3. Oops happens (non-fatal, system continues)
  4. pstore_dump() writes oops via ramoops_pstore_write() size Y (>X)
  5. pstore_new_entry = 1, pstore_timer_kick() called
  6. System continues running (not a panic oops)
  7. Timer fires after pstore_update_ms milliseconds
  8. pstore_timefunc() → schedule_work() → pstore_dowork() → pstore_get_records(1)
  9. ramoops_get_next_prz() → persistent_ram_save_old()
 10. buffer_size() returns Y, but old_log is X bytes
 11. Y > X: memcpy_fromio() overflows heap

  Requirements:
  - a prior crash record exists that did not fill the record size
    (almost impossible since the crash handler writes as much as it
    can possibly fit into the record, capped by max record size and
    the kmsg buffer almost always exceeds the max record size)
  - pstore_update_ms >= 0 (disabled by default)
  - Non-fatal oops (system survives)

So, yes, this is technically possible, but very very hard to do. :)
Unless you see another way?

> Fix this by freeing and reallocating the buffer when the new size
> exceeds the previously allocated size. This ensures old_log always has
> sufficient space for the data being copied.
> 
> Fixes: 201e4aca5aa1 ("pstore/ram: Should update old dmesg buffer before reading")
> Cc: stable@vger.kernel.org
> Signed-off-by: Pwnverse <stanksal@purdue.edu>
> ---
>  fs/pstore/ram_core.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
> index f1848cdd6d34..8df813a42a41 100644
> --- a/fs/pstore/ram_core.c
> +++ b/fs/pstore/ram_core.c
> @@ -298,6 +298,14 @@ void persistent_ram_save_old(struct persistent_ram_zone *prz)
>      if (!size)
>          return;
> 
> +     /*
> +      * If the existing buffer is too small, free it so a new one is
> +      * allocated. This can happen when persistent_ram_save_old() is
> +      * called multiple times with different buffer sizes.
> +      */
> +     if (prz->old_log && prz->old_log_size < size)

This should be "!=", I think? Just to deal with leaving old data in if
the size _shrinks_ too?

> +           persistent_ram_free_old(prz);
> +
>      if (!prz->old_log) {
>          persistent_ram_ecc_old(prz);
>          prz->old_log = kvzalloc(size, GFP_KERNEL);
> --
> 2.43.0

-- 
Kees Cook