| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <028f71c299f5611605a71e8765c660e34ddd74900081d61e79c33f8f2599b8c1@mail.kernel.org>
Date: Mon, 19 Jan 2026 18:45:32 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: piliu@...hat.com,kexec@...ts.infradead.org
Cc: piliu@...hat.com,davem@...emloft.net,ast@...nel.org,daniel@...earbox.net,john.fastabend@...il.com,andrii@...nel.org,martin.lau@...ux.dev,eddyz87@...il.com,song@...nel.org,yonghong.song@...ux.dev,jeremy.linton@....com,catalin.marinas@....com,will@...nel.org,ardb@...nel.org,horms@...nel.org,kraxel@...hat.com,vkuznets@...hat.com,prudo@...hat.com,vmalik@...hat.com,kernel@...rr.cc,bhe@...hat.com,dyoung@...hat.com,akpm@...ux-foundation.org,bpf@...r.kernel.org,systemd-devel@...ts.freedesktop.org,linux-kernel@...r.kernel.org,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCHv6 03/13] kexec_file: Introduce routines to parse PE file
> diff --git a/kernel/kexec_uefi_app.c b/kernel/kexec_uefi_app.c
> new file mode 100644
> index 000000000000..dbe6d76d47ff
> --- /dev/null
> +++ b/kernel/kexec_uefi_app.c
[ ... ]
> +static bool is_valid_pe(const char *kernel_buf, unsigned long kernel_len)
> +{
> + struct mz_hdr *mz;
> + struct pe_hdr *pe;
> +
> + if (!kernel_buf)
> + return false;
> + mz = (struct mz_hdr *)kernel_buf;
> + if (mz->magic != IMAGE_DOS_SIGNATURE)
> + return false;
> + pe = (struct pe_hdr *)(kernel_buf + mz->peaddr);
The kernel_len parameter is declared but never used in this function.
Should this validate that mz->peaddr is within bounds of kernel_len before
accessing pe->magic? If mz->peaddr is larger than the buffer size, this
would read out of bounds.
> + if (pe->magic != IMAGE_NT_SIGNATURE)
> + return false;
> + if (pe->opt_hdr_size == 0) {
> + pr_err("optional header is missing\n");
> + return false;
> + }
> + return true;
> +}
[ ... ]
> +int pe_get_section(const char *file_buf, const char *sect_name,
> + char **sect_start, unsigned long *sect_sz)
> +{
> + struct pe_hdr *pe_hdr;
> + struct pe32plus_opt_hdr *opt_hdr;
> + struct section_header *sect_hdr;
> + int section_nr, i;
> + struct mz_hdr *mz = (struct mz_hdr *)file_buf;
> +
> + *sect_start = NULL;
> + *sect_sz = 0;
> + pe_hdr = (struct pe_hdr *)(file_buf + mz->peaddr);
> + section_nr = pe_hdr->sections;
> + opt_hdr = (struct pe32plus_opt_hdr *)(file_buf + mz->peaddr +
> + sizeof(struct pe_hdr));
> + sect_hdr = (struct section_header *)((char *)opt_hdr +
> + pe_hdr->opt_hdr_size);
> +
> + for (i = 0; i < section_nr; i++) {
pe_get_section() has no buffer size parameter. The values of mz->peaddr,
pe_hdr->sections, and pe_hdr->opt_hdr_size are all read from the PE file
content. If the file is malformed or crafted, section_nr could be set to an
arbitrarily large value, causing sect_hdr to iterate past the end of
file_buf. Is there a way to validate these offsets against the actual
buffer size?
> + if (strcmp(sect_hdr->name, sect_name) == 0) {
> + *sect_start = (char *)file_buf + sect_hdr->data_addr;
> + *sect_sz = sect_hdr->raw_data_size;
> + return 0;
> + }
> + sect_hdr++;
> + }
> +
> + return -1;
> +}
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21147860407
Powered by blists - more mailing lists