| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <f7a838c389c0356a7a52dc2fa09b5db8f24a6eed1d7dbc346250e4f3db233855@mail.kernel.org>
Date: Mon, 19 Jan 2026 18:45:40 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: piliu@...hat.com,kexec@...ts.infradead.org
Cc: piliu@...hat.com,davem@...emloft.net,ast@...nel.org,daniel@...earbox.net,john.fastabend@...il.com,andrii@...nel.org,martin.lau@...ux.dev,eddyz87@...il.com,song@...nel.org,yonghong.song@...ux.dev,jeremy.linton@....com,catalin.marinas@....com,will@...nel.org,ardb@...nel.org,horms@...nel.org,kraxel@...hat.com,vkuznets@...hat.com,prudo@...hat.com,vmalik@...hat.com,kernel@...rr.cc,bhe@...hat.com,dyoung@...hat.com,akpm@...ux-foundation.org,bpf@...r.kernel.org,systemd-devel@...ts.freedesktop.org,linux-kernel@...r.kernel.org,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCHv6 12/13] tools/kexec: Introduce a bpf-prog to parse zboot image format
> diff --git a/tools/kexec/zboot_parser_bpf.c b/tools/kexec/zboot_parser_bpf.c
> new file mode 100644
> index 000000000000..54c4b762b332
> --- /dev/null
> +++ b/tools/kexec/zboot_parser_bpf.c
[ ... ]
> +/* see drivers/firmware/efi/libstub/zboot-header.S */
> +struct linux_pe_zboot_header {
> + unsigned int mz_magic;
> + char image_type[4];
> + unsigned int payload_offset;
> + unsigned int payload_size;
> + unsigned int reserved[2];
> + char comp_type[4];
> + unsigned int linux_pe_magic;
> + unsigned int pe_header_offset;
> +} __attribute__((packed));
[ ... ]
> + unsigned int payload_offset = zboot_header->payload_offset;
> + unsigned int payload_size = zboot_header->payload_size;
> + bpf_printk("zboot image payload offset=0x%x, size=0x%x\n", payload_offset, payload_size);
> + /* sane check */
> + if (payload_size > image_sz) {
> + bpf_ringbuf_discard(buf, BPF_RB_NO_WAKEUP);
> + bpf_printk("Invalid zboot image payload offset and size\n");
> + return 0;
> + }
Should this bounds check also verify that payload_offset + payload_size
does not exceed image_sz? The current check only validates that payload_size
fits, but if payload_offset is large (e.g., near image_sz), the read below
could extend past the end of the kernel buffer.
For example, with payload_offset = image_sz - 10 and payload_size = 100,
the check "payload_size > image_sz" passes, but the bpf_probe_read below
would read 90 bytes past the valid buffer boundary.
> + unsigned int max_payload = MAX_RECORD_SIZE - sizeof(struct cmd_hdr);
> + if (payload_size >= max_payload) {
> + bpf_ringbuf_discard(buf, BPF_RB_NO_WAKEUP);
> + bpf_printk("Err: payload_size > MAX_RECORD_SIZE\n");
> + return 0;
> + }
> + void *dst = (void *)buf + sizeof(struct cmd_hdr);
> + /* Overwrite buf */
> + struct cmd_hdr *cmd = (struct cmd_hdr *)buf;
> + cmd->cmd = KEXEC_BPF_CMD_DECOMPRESS;
> + cmd->subcmd = KEXEC_BPF_SUBCMD_KERNEL;
> + /* 4 bytes original size is appended after vmlinuz.bin */
> + cmd->payload_len = payload_size - 4;
> + bpf_probe_read(dst, payload_size, context->kernel + payload_offset);
^^^^^^^^^^^^^^^
This is where the out-of-bounds read could occur if payload_offset +
payload_size > image_sz. While bpf_probe_read is safe and will not crash
(it uses copy_from_kernel_nofault internally), it could read from adjacent
kernel memory if the zboot header contains invalid offset/size values.
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21147860407
Powered by blists - more mailing lists