From: Breno Leitao <leitao@debian•org>
To: Jinjie Ruan <ruanjinjie@huawei•com>
Cc: corbet@lwn•net, skhan@linuxfoundation•org,
catalin.marinas@arm•com, will@kernel•org, chenhuacai@kernel•org,
kernel@xen0n•name, maddy@linux•ibm.com, mpe@ellerman•id.au,
npiggin@gmail•com, chleroy@kernel•org, pjw@kernel•org,
palmer@dabbelt•com, aou@eecs•berkeley.edu, alex@ghiti•fr,
tglx@kernel•org, mingo@redhat•com, bp@alien8•de,
dave.hansen@linux•intel.com, hpa@zytor•com, robh@kernel•org,
saravanak@kernel•org, akpm@linux-foundation•org, bhe@redhat•com,
rppt@kernel•org, pasha.tatashin@soleen•com, pratyush@kernel•org,
ruirui.yang@linux•dev, rdunlap@infradead•org, pmladek@suse•com,
dapeng1.mi@linux•intel.com, kees@kernel•org, elver@google•com,
kuba@kernel•org, ebiggers@kernel•org, lirongqing@baidu•com,
paulmck@kernel•org, sourabhjain@linux•ibm.com, coxu@redhat•com,
jbohac@suse•cz, ryan.roberts@arm•com, osandov@fb•com,
cfsworks@gmail•com, tangyouling@kylinos•cn,
ritesh.list@gmail•com, adityag@linux•ibm.com, guoren@kernel•org,
songshuaishuai@tinylab•org, kevin.brodsky@arm•com,
vishal.moola@gmail•com, junhui.liu@pigmoral•tech,
wangruikang@iscas•ac.cn, namcao@linutronix•de,
chao.gao@intel•com, seanjc@google•com,
fuqiang.wang@easystack•cn, ardb@kernel•org,
chenjiahao16@huawei•com, hbathini@linux•ibm.com,
takahiro.akashi@linaro•org, james.morse@arm•com,
lizhengyu3@huawei•com, x86@kernel•org, linux-doc@vger•kernel.org,
linux-kernel@vger•kernel.org,
linux-arm-kernel@lists•infradead.org, loongarch@lists•linux.dev,
linuxppc-dev@lists•ozlabs.org, linux-riscv@lists•infradead.org,
devicetree@vger•kernel.org, kexec@lists•infradead.org
Subject: Re: [PATCH v13 04/15] arm64: kexec_file: Fix potential buffer overflow in prepare_elf_headers()
Date: Mon, 11 May 2026 05:30:54 -0700 [thread overview]
Message-ID: <agHL1zzC5bzgoCiJ@gmail.com> (raw)
In-Reply-To: <79c14bee-b1f5-4d70-8345-6582d6cf0128@huawei.com>
On Mon, May 11, 2026 at 07:30:44PM +0800, Jinjie Ruan wrote:
>
>
> On 5/11/2026 5:46 PM, Breno Leitao wrote:
> > On Mon, May 11, 2026 at 11:04:43AM +0800, Jinjie Ruan wrote:
> >> There is a race condition between the kexec_load() system call
> >> (crash kernel loading path) and memory hotplug operations that can
> >> lead to buffer overflow and potential kernel crash.
> >>
> >> During prepare_elf_headers(), the following steps occur:
> >> 1. The first for_each_mem_range() queries current System RAM memory ranges
> >> 2. Allocates buffer based on queried count
> >> 3. The 2st for_each_mem_range() populates ranges from memblock
> >>
> >> If memory hotplug occurs between step 1 and step 3, the number of ranges
> >> can increase, causing out-of-bounds write when populating cmem->ranges[].
> >>
> >> This happens because kexec_load() uses kexec_trylock (atomic_t) while
> >> memory hotplug uses device_hotplug_lock (mutex), so they don't serialize
> >> with each other.
> >>
> >> Add the explicit bounds checking to prevent out-of-bounds access.
> >
> > It seems you have a TOCTOU type of issue, and this seems to be shrinking
> > the window, but not fully solving it?
>
> Hi Breno,
>
> Thanks for your comments regarding the TOCTOU issue.
>
> You are correct that the current bounds checking only "shrinks the
> window" and prevents a kernel crash, but doesn't fully guarantee header
> consistency if a race occurs.
>
> In my local environment, this race is extremely difficult to reproduce,
> but it is theoretically possible.
>
> To address this properly for arm64, I am considering two steps:
>
> - For this patch: I will change the return value to -EAGAIN and keep the
> bounds check. This ensures that even if a race happens, the kernel
> remains safe (no OOB access), and user-space is notified to retry.
>
> - Long-term solution: A better way to solve this is to implement ARM64
> CRASH_HOTPLUG support (similar to x86). With crash hotplug, the kernel
> will automatically re-generate the crash headers whenever a memory
> hotplug event occurs. This makes the TOCTOU during the initial
> kexec_load less critical, as any transient inconsistency will be
> immediately corrected by the subsequent hotplug handler.
>
> Does it make sense to you to use this patch as a safety guard first, and
> then I (or someone else) follow up with the full CRASH_HOTPLUG support
> for arm64 as [1]?
It would be OK for me, but, make it explict that there is a TOCTOU
issue, that depends on CRASH_HOTPLUG.
next prev parent reply other threads:[~2026-05-11 12:32 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 3:04 [PATCH v13 00/15] arm64/riscv: Add support for crashkernel CMA reservation Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 01/15] riscv: kexec_file: Fix crashk_low_res not exclude bug Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 02/15] powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr() Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 03/15] x86/kexec: Fix potential buffer overflow in prepare_elf_headers() Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 04/15] arm64: kexec_file: " Jinjie Ruan
2026-05-11 9:46 ` Breno Leitao
2026-05-11 11:30 ` Jinjie Ruan
2026-05-11 12:30 ` Breno Leitao [this message]
2026-05-19 12:42 ` Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 05/15] riscv: " Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 06/15] LoongArch: kexec: " Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 07/15] powerpc/crash: sort crash memory ranges before preparing elfcorehdr Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 08/15] crash: Add crash_prepare_headers() to exclude crash kernel memory Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 09/15] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 10/15] x86/kexec: " Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 11/15] riscv: kexec_file: " Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 12/15] LoongArch: kexec: " Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 13/15] crash: Use crash_exclude_core_ranges() on powerpc Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 14/15] arm64: kexec: Add support for crashkernel CMA reservation Jinjie Ruan
2026-05-11 3:04 ` [PATCH v13 15/15] riscv: " Jinjie Ruan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agHL1zzC5bzgoCiJ@gmail.com \
--to=leitao@debian$(echo .)org \
--cc=adityag@linux$(echo .)ibm.com \
--cc=akpm@linux-foundation$(echo .)org \
--cc=alex@ghiti$(echo .)fr \
--cc=aou@eecs$(echo .)berkeley.edu \
--cc=ardb@kernel$(echo .)org \
--cc=bhe@redhat$(echo .)com \
--cc=bp@alien8$(echo .)de \
--cc=catalin.marinas@arm$(echo .)com \
--cc=cfsworks@gmail$(echo .)com \
--cc=chao.gao@intel$(echo .)com \
--cc=chenhuacai@kernel$(echo .)org \
--cc=chenjiahao16@huawei$(echo .)com \
--cc=chleroy@kernel$(echo .)org \
--cc=corbet@lwn$(echo .)net \
--cc=coxu@redhat$(echo .)com \
--cc=dapeng1.mi@linux$(echo .)intel.com \
--cc=dave.hansen@linux$(echo .)intel.com \
--cc=devicetree@vger$(echo .)kernel.org \
--cc=ebiggers@kernel$(echo .)org \
--cc=elver@google$(echo .)com \
--cc=fuqiang.wang@easystack$(echo .)cn \
--cc=guoren@kernel$(echo .)org \
--cc=hbathini@linux$(echo .)ibm.com \
--cc=hpa@zytor$(echo .)com \
--cc=james.morse@arm$(echo .)com \
--cc=jbohac@suse$(echo .)cz \
--cc=junhui.liu@pigmoral$(echo .)tech \
--cc=kees@kernel$(echo .)org \
--cc=kernel@xen0n$(echo .)name \
--cc=kevin.brodsky@arm$(echo .)com \
--cc=kexec@lists$(echo .)infradead.org \
--cc=kuba@kernel$(echo .)org \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
--cc=linux-doc@vger$(echo .)kernel.org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux-riscv@lists$(echo .)infradead.org \
--cc=linuxppc-dev@lists$(echo .)ozlabs.org \
--cc=lirongqing@baidu$(echo .)com \
--cc=lizhengyu3@huawei$(echo .)com \
--cc=loongarch@lists$(echo .)linux.dev \
--cc=maddy@linux$(echo .)ibm.com \
--cc=mingo@redhat$(echo .)com \
--cc=mpe@ellerman$(echo .)id.au \
--cc=namcao@linutronix$(echo .)de \
--cc=npiggin@gmail$(echo .)com \
--cc=osandov@fb$(echo .)com \
--cc=palmer@dabbelt$(echo .)com \
--cc=pasha.tatashin@soleen$(echo .)com \
--cc=paulmck@kernel$(echo .)org \
--cc=pjw@kernel$(echo .)org \
--cc=pmladek@suse$(echo .)com \
--cc=pratyush@kernel$(echo .)org \
--cc=rdunlap@infradead$(echo .)org \
--cc=ritesh.list@gmail$(echo .)com \
--cc=robh@kernel$(echo .)org \
--cc=rppt@kernel$(echo .)org \
--cc=ruanjinjie@huawei$(echo .)com \
--cc=ruirui.yang@linux$(echo .)dev \
--cc=ryan.roberts@arm$(echo .)com \
--cc=saravanak@kernel$(echo .)org \
--cc=seanjc@google$(echo .)com \
--cc=skhan@linuxfoundation$(echo .)org \
--cc=songshuaishuai@tinylab$(echo .)org \
--cc=sourabhjain@linux$(echo .)ibm.com \
--cc=takahiro.akashi@linaro$(echo .)org \
--cc=tangyouling@kylinos$(echo .)cn \
--cc=tglx@kernel$(echo .)org \
--cc=vishal.moola@gmail$(echo .)com \
--cc=wangruikang@iscas$(echo .)ac.cn \
--cc=will@kernel$(echo .)org \
--cc=x86@kernel$(echo .)org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox