| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <2742c5333700b577bda375a3bf80f55ca5aa92bdd66ecc85e85a8f762d94c277@mail.kernel.org>
Date: Mon, 19 Jan 2026 18:45:38 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: piliu@...hat.com,kexec@...ts.infradead.org
Cc: piliu@...hat.com,davem@...emloft.net,ast@...nel.org,daniel@...earbox.net,john.fastabend@...il.com,andrii@...nel.org,martin.lau@...ux.dev,eddyz87@...il.com,song@...nel.org,yonghong.song@...ux.dev,jeremy.linton@....com,catalin.marinas@....com,will@...nel.org,ardb@...nel.org,horms@...nel.org,kraxel@...hat.com,vkuznets@...hat.com,prudo@...hat.com,vmalik@...hat.com,kernel@...rr.cc,bhe@...hat.com,dyoung@...hat.com,akpm@...ux-foundation.org,bpf@...r.kernel.org,systemd-devel@...ts.freedesktop.org,linux-kernel@...r.kernel.org,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCHv6 13/13] tools/kexec: Add a zboot image building tool
> diff --git a/tools/kexec/pe.h b/tools/kexec/pe.h
> new file mode 100644
> index 000000000000..c2273d3fc3bb
> --- /dev/null
> +++ b/tools/kexec/pe.h
[ ... ]
> +/*
> + * Return -1 if not PE, else offset of the PE header
> + */
> +static int get_pehdr_offset(const char *buf)
> +{
> + int pe_hdr_offset;
> +
> + pe_hdr_offset = *((int *)(buf + 0x3c));
> + buf += pe_hdr_offset;
> + if (!!memcmp(buf, "PE\0\0", 4)) {
> + printf("Not a PE file\n");
> + return -1;
> + }
> +
> + return pe_hdr_offset;
> +}
This function returns int and can return -1 on error, but the caller stores
the result in a uint32_t without checking for errors (see below).
> diff --git a/tools/kexec/zboot_image_builder.c b/tools/kexec/zboot_image_builder.c
> new file mode 100644
> index 000000000000..c0a785074970
> --- /dev/null
> +++ b/tools/kexec/zboot_image_builder.c
[ ... ]
> +int main(int argc, char **argv)
> +{
> + uint32_t payload_new_offset, payload_sect_off;
> + uint32_t payload_size;
> + uint32_t payload_sect_idx;
^^^^^^^^^^^^^^^^
Are payload_sect_idx and payload_sect_off intentionally left uninitialized
here? If the loop below never finds a matching section, these variables
will contain garbage values.
[ ... ]
> + uint32_t pe_hdr_offset = get_pehdr_offset((const char *)base_start_addr);
> + base_cur = base_start_addr + pe_hdr_offset;
Is there a missing check for the return value of get_pehdr_offset()? The
function returns -1 on error (printing "Not a PE file"), but this code
stores it in a uint32_t and uses it directly. If get_pehdr_offset()
returns -1, pe_hdr_offset becomes 0xFFFFFFFF, and base_cur will point far
past the mapped region.
[ ... ]
> + /* Decide the section idx and the payload offset within the section */
> + for (i = 0; i < num_sections; i++) {
> + sect = &base_sections[i];
> + if (zheader->payload_offset >= sect->data_addr &&
> + zheader->payload_offset < (sect->data_addr + sect->raw_data_size)) {
> + payload_sect_idx = i;
> + payload_sect_off = zheader->payload_offset - sect->data_addr;
> + }
> + }
If the condition is never true (payload_offset not within any section),
payload_sect_idx and payload_sect_off remain uninitialized. They are used
later in:
payload_new_offset = new_sections[payload_sect_idx].data_addr + payload_sect_off;
Could this cause undefined behavior with a malformed input file?
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21147860407
Powered by blists - more mailing lists