Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp2758056rdh; Sun, 26 Nov 2023 19:06:30 -0800 (PST) X-Google-Smtp-Source: AGHT+IFCuRUtYz8ipNlSdm6mDreU9/iy1P8TyA/1d76hZDhu231sw4dk2NFQxXYFZJjOe4ppGLZL X-Received: by 2002:a17:903:2286:b0:1cf:ba46:e402 with SMTP id b6-20020a170903228600b001cfba46e402mr4458963plh.54.1701054390009; Sun, 26 Nov 2023 19:06:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701054389; cv=none; d=google.com; s=arc-20160816; b=a4PQgyGtwooWAit1gzVquvUQ6V/rW9AGuO6Flslkc1tQAkRBnCs5eDPC3/R8uG0Yuf VDBkJQAzpe8mTfI3cXMjhjqkne4V8eQeUoQ5ltTxdS0tZeJKwTfa1vQGe2d14Xj+ZwTB f1lLYRg1X1MEFDzQxiqJgk+xXZ4tqt3c+065tEXeZWqhi586I70XxVysw+TwnwCYHBJW MD8WvXyTkDaddMp0PAtlLebEsAiMJFIWVRF4opDjSvP10Cog/oVSxU2PhpGfmbx3So0a x2HiqvHmdAgC1wD16Vv5y+w2Pkb0mOE1kHjlWicTFfMQYXxvnVFzHYSbJALGris6fMJe NxxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=7agHZbh/LSPU3Rx2zdo4fwVJi/vwccOQbU/BkfRlIg8=; fh=Shk717CEuIFj0H3I5r1l4YwAe1LyRBvfoCzGkZM2NzQ=; b=ujQCl7ubxo2poJ9RrRoxLcuSGtXJ5pfEgCP/1r8AQApxBe1QR41BPJIkzoeddcZkH+ 4s2Y2H9Y+Kh2oqdnTLKJwaPS7bsnMGaaZfUuLzAoLtEs/lBj2ywidZGpXVQ/REqT2NDq shEpE/63XnrEFW0iGraQ9LrSYPXZ/XjQSZq9540m9Hbecw6KjBB7fGDKBAAZjc6wjZUc FwCHhCaavHUkD2ZKEAlSuH92wOZmQ16CFyQ9sZZbKlI2uayrJx9+L+l0gJK2uU9YDJEK bsOZ0Igi29yfBIOANvRyanrpQReKjv0q9V4tXlSHtlFVJbKsYdA91JaMJxaa3ya3Dz2d 8HSw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=easystack.cn Return-Path: Received: from morse.vger.email (morse.vger.email. [23.128.96.31]) by mx.google.com with ESMTPS id l1-20020a170902f68100b001cf9c472263si7891860plg.269.2023.11.26.19.06.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 26 Nov 2023 19:06:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=easystack.cn Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 82970803C472; Sun, 26 Nov 2023 19:06:27 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232222AbjK0DGL (ORCPT + 99 others); Sun, 26 Nov 2023 22:06:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43524 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231936AbjK0DGE (ORCPT ); Sun, 26 Nov 2023 22:06:04 -0500 X-Greylist: delayed 534 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Sun, 26 Nov 2023 19:06:09 PST Received: from mail-m24124.xmail.ntesmail.com (mail-m24124.xmail.ntesmail.com [45.195.24.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 78D87123 for ; Sun, 26 Nov 2023 19:06:09 -0800 (PST) Received: from fedora.. (unknown [211.103.144.18]) by mail-m2838.qiye.163.com (Hmail) with ESMTPA id E2BBA3C0140; Mon, 27 Nov 2023 10:56:53 +0800 (CST) From: fuqiang wang To: Baoquan He , Vivek Goyal , Dave Young Cc: kexec@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH] kexec: avoid out of bounds in crash_exclude_mem_range() Date: Mon, 27 Nov 2023 10:56:39 +0800 Message-ID: <20231127025641.62210-1-fuqiang.wang@easystack.cn> X-Mailer: git-send-email 2.42.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFJQjdXWS1ZQUlXWQ8JGhUIEh9ZQVlDQkMdVhkYGEtMTRkfSU0dSFUZERMWGhIXJBQOD1 lXWRgSC1lBWUlKSlVKS0hVSk9PVUpDWVdZFhoPEhUdFFlBWU9LSFVKTU9JTE5VSktLVUpCS0tZBg ++ X-HM-Tid: 0a8c0eb555fa8420kuqwe2bba3c0140 X-HM-MType: 1 X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6Mk06Pxw5TDErKy0POVYIPA80 FSJPChxVSlVKTEtKS05IQ0pOS09DVTMWGhIXVR0OChIaFRxVDBoVHDseGggCCA8aGBBVGBVFWVdZ EgtZQVlJSkpVSktIVUpPT1VKQ1lXWQgBWUFJSUhLNwY+ X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Sun, 26 Nov 2023 19:06:27 -0800 (PST) When the split happened, judge whether mem->nr_ranges is equal to mem->max_nr_ranges. If it is true, return -ENOMEM. The advantage of doing this is that it can avoid array bounds caused by some bugs. E.g., Before commit 4831be702b95 ("arm64/kexec: Fix missing extra range for crashkres_low."), reserve both high and low memories for the crashkernel may cause out of bounds. On the other hand, move this code before the split to ensure that the array will not be changed when return error. Signed-off-by: fuqiang wang --- kernel/crash_core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/crash_core.c b/kernel/crash_core.c index efe87d501c8c..ffdc246cf425 100644 --- a/kernel/crash_core.c +++ b/kernel/crash_core.c @@ -611,6 +611,9 @@ int crash_exclude_mem_range(struct crash_mem *mem, } if (p_start > start && p_end < end) { + /* Split happened */ + if (mem->nr_ranges == mem->max_nr_ranges) + return -ENOMEM; /* Split original range */ mem->ranges[i].end = p_start - 1; temp_range.start = p_end + 1; @@ -626,9 +629,6 @@ int crash_exclude_mem_range(struct crash_mem *mem, if (!temp_range.end) return 0; - /* Split happened */ - if (i == mem->max_nr_ranges - 1) - return -ENOMEM; /* Location where new range should go */ j = i + 1; -- 2.42.0