This series tries to fix the potential cmem->ranges out of bounds.
On the v1 version, there are still some issues that need to be
discussed, as follows:
1) Whether we need have the cmem->ranges[] partly changed, or keep it
unchanged when OOB happened. Previously discussed link:[1].
2) Set cmem->max_nr_ranges in crash_setup_memmap_entries() to 1 or 2.
Previously discussed link:[2].
3) To enhance crash_setup_memmap_entries() readability, how to move
code. Previously discussed link:[2].
v2:
- Fix potential out of bounds in crash_setup_memmap_entries().
- Add a comment in fill_up_crash_elf_data() to explain why the array
size do not need to be changed.
v1:
Link: https://lore.kernel.org/all/[email protected]/
[1]: https://lore.kernel.org/all/ZXrY7QbXAlxydsSC@MiWiFi-R3L-srv/
[2]: https://lore.kernel.org/all/[email protected]/
fuqiang wang (2):
x86/kexec: Fix potential out of bounds in crash_setup_memmap_entries()
kexec: Fix potential out of bounds in crash_exclude_mem_range()
arch/x86/kernel/crash.c | 20 ++++++++++++++------
kernel/crash_core.c | 7 +++----
2 files changed, 17 insertions(+), 10 deletions(-)
--
2.42.0
When the split does not occur on the last array member, the current code
will not return an error. So the correct array out-of-bounds check should
be mem->nr_ranges >= mem->max_nr_ranges.
When the OOB happen, the cmem->ranges[] have changed, so return early to
avoid it.
Signed-off-by: fuqiang wang <[email protected]>
---
kernel/crash_core.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/kernel/crash_core.c b/kernel/crash_core.c
index d4313b53837e..b1ab61c74fd2 100644
--- a/kernel/crash_core.c
+++ b/kernel/crash_core.c
@@ -611,6 +611,9 @@ int crash_exclude_mem_range(struct crash_mem *mem,
}
if (p_start > start && p_end < end) {
+ /* Split happened */
+ if (mem->nr_ranges >= mem->max_nr_ranges)
+ return -ENOMEM;
/* Split original range */
mem->ranges[i].end = p_start - 1;
temp_range.start = p_end + 1;
@@ -626,10 +629,6 @@ int crash_exclude_mem_range(struct crash_mem *mem,
if (!temp_range.end)
return 0;
- /* Split happened */
- if (i == mem->max_nr_ranges - 1)
- return -ENOMEM;
-
/* Location where new range should go */
j = i + 1;
if (j < mem->nr_ranges) {
--
2.42.0
On 12/20/23 at 01:57pm, fuqiang wang wrote:
> When the split does not occur on the last array member, the current code
> will not return an error. So the correct array out-of-bounds check should
> be mem->nr_ranges >= mem->max_nr_ranges.
>
> When the OOB happen, the cmem->ranges[] have changed, so return early to
> avoid it.
>
> Signed-off-by: fuqiang wang <[email protected]>
> ---
> kernel/crash_core.c | 7 +++----
> 1 file changed, 3 insertions(+), 4 deletions(-)
You may need rebase your work on next/master branch to avoid conflict.
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
In the current, below commit exists, then code change in this patch may
not be needed.
86d80cbb61ca crash_core: fix and simplify the logic of crash_exclude_mem_range()
>
> diff --git a/kernel/crash_core.c b/kernel/crash_core.c
> index d4313b53837e..b1ab61c74fd2 100644
> --- a/kernel/crash_core.c
> +++ b/kernel/crash_core.c
> @@ -611,6 +611,9 @@ int crash_exclude_mem_range(struct crash_mem *mem,
> }
>
> if (p_start > start && p_end < end) {
> + /* Split happened */
> + if (mem->nr_ranges >= mem->max_nr_ranges)
> + return -ENOMEM;
> /* Split original range */
> mem->ranges[i].end = p_start - 1;
> temp_range.start = p_end + 1;
> @@ -626,10 +629,6 @@ int crash_exclude_mem_range(struct crash_mem *mem,
> if (!temp_range.end)
> return 0;
>
> - /* Split happened */
> - if (i == mem->max_nr_ranges - 1)
> - return -ENOMEM;
> -
> /* Location where new range should go */
> j = i + 1;
> if (j < mem->nr_ranges) {
> --
> 2.42.0
>
在 2023/12/21 19:42, Baoquan He 写道:
> You may need rebase your work on next/master branch to avoid conflict.
>
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
>
> In the current, below commit exists, then code change in this patch may
> not be needed.
> 86d80cbb61ca crash_core: fix and simplify the logic of crash_exclude_mem_range()
>
Yes, Baoquan, you are right. It's my mistake. Thank you very much ~