| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <19c025ff2ae.7eb49b99801794.5565209326129667667@linux.beauty>
Date: Wed, 28 Jan 2026 10:12:48 +0800
From: Li Chen <me@...ux.beauty>
To: "Baoquan He" <bhe@...hat.com>
Cc: "Andrew Morton" <akpm@...ux-foundation.org>,
"Eric Biggers" <ebiggers@...nel.org>,
"Steven Chen" <chenste@...ux.microsoft.com>,
"Alexander Graf" <graf@...zon.com>,
"Sourabh Jain" <sourabhjain@...ux.ibm.com>,
"Philipp Rudo" <prudo@...hat.com>,
"Steven Rostedt" <rostedt@...dmis.org>,
"Ricardo Ribalda" <ribalda@...omium.org>,
"Ross Zwisler" <zwisler@...gle.com>,
"kexec" <kexec@...ts.infradead.org>,
"linux-kernel" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] kexec: derive purgatory entry from symbol
Hi Baoquan,
> Hi Li Chen,
>
> On 01/20/26 at 08:40pm, Li Chen wrote:
> > kexec_load_purgatory() derives image->start by locating e_entry inside an
> > SHF_EXECINSTR section. If the purgatory object contains multiple executable
> > sections with overlapping sh_addr, the entrypoint check can match more than
> > once and trigger a WARN.
> >
> > Derive the entry section from the purgatory_start symbol when present and
> > compute image->start from its final placement. Keep the existing e_entry
> > fallback for purgatories that do not expose the symbol.
> >
> > WARNING: kernel/kexec_file.c:1009 at kexec_load_purgatory+0x395/0x3c0, CPU#10: kexec/1784
> > Call Trace:
> > <TASK>
> > bzImage64_load+0x133/0xa00
> > __do_sys_kexec_file_load+0x2b3/0x5c0
> > do_syscall_64+0x81/0x610
> > entry_SYSCALL_64_after_hwframe+0x76/0x7e
> >
> > Fixes: 8652d44f466a ("kexec: support purgatories with .text.hot sections")
> > Signed-off-by: Li Chen <me@...ux.beauty>
>
> Thanks for fixing the issue. Could you tell how we can trigger this
> issue so that I can reproduce it?
>
> > ---
> > kernel/kexec_file.c | 24 ++++++++++++++++++++++--
> > 1 file changed, 22 insertions(+), 2 deletions(-)
> >
> > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > index 3f1d6c4e8ff2..d3c68c6b4bbc 100644
> > --- a/kernel/kexec_file.c
> > +++ b/kernel/kexec_file.c
> > @@ -880,6 +880,8 @@ static int kexec_calculate_store_digests(struct kimage *image)
> > }
> >
> > #ifdef CONFIG_ARCH_SUPPORTS_KEXEC_PURGATORY
> > +static const Elf_Sym * kexec_purgatory_find_symbol(struct purgatory_info *pi,
> > + const char *name);
>
> Here, is it better to move the whole function body of
> kexec_purgatory_find_symbol() here so that kexec_purgatory_setup_sechdrs()
> can see it too?
>
> Other than the concerns about how to reproducing and above one, this
> patch looks good to me.
Thanks for the review.
For reference, I observed this WARN on x86_64 with linux-next tag
next-20260106 and the savedefconfig included below. Toolchain was GCC
15.2.1 and binutils 2.45.1.
The WARN is triggered in the kexec_file_load path (kexec -s -l), during
purgatory load/relocation. No kexec -e is required.
command I used:
sudo kexec -s -l /boot/vmlinuz-$(uname -r) \
--initrd=/boot/initramfs-$(uname -r).img \
--append="$(cat /proc/cmdline | sed -E \"s/(^| )BOOT_IMAGE=[^ ]+//g\")"
Regarding kexec_purgatory_find_symbol(), agreed; I will move the helper
body above kexec_purgatory_setup_sechdrs() in v2 to avoid the forward
declaration.
kernel config:
https://gist.github.com/FirstLoveLife/b0e7c7da7146f1ba63167b76cb10683a
Regards,
Li
Powered by blists - more mailing lists