| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251103110159.8399-1-pratyush@kernel.org>
Date: Mon, 3 Nov 2025 12:01:57 +0100
From: Pratyush Yadav <pratyush@...nel.org>
To: Andrew Morton <akpm@...ux-foundation.org>,
Baoquan He <bhe@...hat.com>,
Alexander Graf <graf@...zon.com>,
Mike Rapoport <rppt@...nel.org>,
Pasha Tatashin <pasha.tatashin@...een.com>,
Pratyush Yadav <pratyush@...nel.org>
Cc: kexec@...ts.infradead.org,
linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] kho: fix out-of-bounds access of vmalloc chunk
The list of pages in a vmalloc chunk is NULL-terminated. So when looping
through the pages in a vmalloc chunk, both kho_restore_vmalloc() and
kho_vmalloc_unpreserve_chunk() rightly make sure to stop when
encountering a NULL page. But when the chunk is full, the loops do not
stop and go past the bounds of chunk->phys, resulting in out-of-bounds
memory access, and possibly the restoration or unpreservation of an
invalid page.
Fix this by making sure the processing of chunk stops at the end of the
array.
Fixes: a667300bd53f2 ("kho: add support for preserving vmalloc allocations")
Signed-off-by: Pratyush Yadav <pratyush@...nel.org>
---
Notes:
Commit 89a3ecca49ee8 ("kho: make sure page being restored is actually
from KHO") was quite helpful in catching this since kho_restore_page()
errored out due to missing magic number, instead of "restoring" a random
page and causing errors at other random places.
kernel/kexec_handover.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/kexec_handover.c b/kernel/kexec_handover.c
index 76f0940fb4856..cc5aaa738bc50 100644
--- a/kernel/kexec_handover.c
+++ b/kernel/kexec_handover.c
@@ -869,7 +869,7 @@ static void kho_vmalloc_unpreserve_chunk(struct kho_vmalloc_chunk *chunk)
__kho_unpreserve(track, pfn, pfn + 1);
- for (int i = 0; chunk->phys[i]; i++) {
+ for (int i = 0; i < ARRAY_SIZE(chunk->phys) && chunk->phys[i]; i++) {
pfn = PHYS_PFN(chunk->phys[i]);
__kho_unpreserve(track, pfn, pfn + 1);
}
@@ -992,7 +992,7 @@ void *kho_restore_vmalloc(const struct kho_vmalloc *preservation)
while (chunk) {
struct page *page;
- for (int i = 0; chunk->phys[i]; i++) {
+ for (int i = 0; i < ARRAY_SIZE(chunk->phys) && chunk->phys[i]; i++) {
phys_addr_t phys = chunk->phys[i];
if (idx + contig_pages > total_pages)
base-commit: dcb6fa37fd7bc9c3d2b066329b0d27dedf8becaa
--
2.47.3
Powered by blists - more mailing lists