[PATCH v15 13/23] riscv: kexec_file: Fix TOCTOU buffer overflow via memory... | linuxppc-dev

[PATCH v15 00/23] arm64/riscv: Add support for crashkernel CMA reservation · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 02/23] powerpc/crash: Fix possible memory leak in update_crash_elfcorehdr() · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 01/23] riscv: kexec_file: Fix crashk_low_res not exclude bug · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 03/23] powerpc/kexec_file: Fix NULL pointer dereference in kexec_extra_fdt_size_ppc64() · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 04/23] powerpc/kexec_file: Fix memory range truncation in __merge_memory_ranges() · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 06/23] kexec: Extract kexec_free_segment_cma() from kimage_free_cma() · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 05/23] powerpc/crash: sort crash memory ranges before preparing elfcorehdr · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 07/23] arm64: kexec_file: Fix CMA page leaks during segment placement retry loops · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 08/23] arm64: kexec_file: Fix image->elf_headers memory leak during retry loop · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 09/23] kexec: Fix UAF and Double Free in crash_load_dm_crypt_keys() · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 11/23] x86: kexec_file: Fix TOCTOU buffer overflow via memory region padding · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 10/23] crash_core: Introduce CRASH_HOTPLUG_SAFETY_PADDING for memory hotplug safety · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 12/23] arm64: kexec_file: Fix TOCTOU buffer overflow via memory region padding · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 13/23] riscv: kexec_file: Fix TOCTOU buffer overflow via memory region padding · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 14/23] LoongArch: kexec_file: Fix TOCTOU buffer overflow via memory region padding · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 15/23] crash: Add crash_prepare_headers() to exclude crash kernel memory · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 16/23] arm64: kexec_file: Use crash_prepare_headers() helper to simplify code · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 17/23] x86: kexec_file: Use crash_prepare_headers() helper to simplify code · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 19/23] LoongArch: kexec_file: Use crash_prepare_headers() helper to simplify code · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 18/23] riscv: kexec_file: Use crash_prepare_headers() helper to simplify code · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 20/23] powerpc/kexec_file: Use crash_exclude_core_ranges() helper · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 21/23] arm64: kexec_file: Add support for crashkernel CMA reservation · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 22/23] riscv: kexec_file: Add support for crashkernel CMA reservation · Jinjie Ruan <hidden> · 2026-06-01
[PATCH v15 23/23] arm64: crash: Add crash hotplug support · Jinjie Ruan <hidden> · 2026-06-01
Re: [PATCH v15 00/23] arm64/riscv: Add support for crashkernel CMA reservation · Baoquan He <baoquan.he@linux.dev> · 2026-06-01
Re: [PATCH v15 00/23] arm64/riscv: Add support for crashkernel CMA reservation · Jinjie Ruan <hidden> · 2026-06-02
Re: [PATCH v15 00/23] arm64/riscv: Add support for crashkernel CMA reservation · Baoquan He <baoquan.he@linux.dev> · 2026-06-02

COLD23d REVIEWED: 2 (2M)

Revisions (4)

2026-04-02 v12 [diff vs current]
2026-05-11 v13 [diff vs current]
2026-05-25 v14 [diff vs current]
2026-06-01 v15 current

[PATCH v15 13/23] riscv: kexec_file: Fix TOCTOU buffer overflow via memory region padding

From: Jinjie Ruan <hidden>
Date: 2026-06-01 09:49:27
Also in: kexec, linux-devicetree, linux-doc, linux-riscv, lkml, loongarch
Subsystem: risc-v architecture, the rest · Maintainers: Paul Walmsley, Palmer Dabbelt, Albert Ou, Linus Torvalds

Sashiko AI code review pointed out there is a TOCTOU (Time-of-Check to
Time-of-Use) race condition in prepare_elf_headers() between the initial
pass that counts System RAM ranges and the second pass that populates them.
If a memory hotplug event occurs between these two steps, the number of
memory regions may increase, causing an out-of-bounds write to
the cmem->ranges[] array.

Fix this fundamentally by using `CRASH_HOTPLUG_SAFETY_PADDING` (128 slots)
to expand the flexible array allocation ceiling upfront. This safely
absorbs any concurrent memory region expansion. Concurrently, add
a defensive boundary check inside the callback to return -EAGAIN on
unexpected overrun, fully eradicating the overflow window and ensuring
system stability.

Cc: Paul Walmsley <pjw@kernel.org>
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Alexandre Ghiti <alex@ghiti.fr>
Cc: songshuaishuai@tinylab.org
Cc: bjorn@rivosinc.com
Cc: leitao@debian.org
Fixes: 8acea455fafa ("RISC-V: Support for kexec_file on panic")
Reviewed-by: Guo Ren <guoren@kernel.org>
Signed-off-by: Jinjie Ruan <redacted>
---
 arch/riscv/kernel/machine_kexec_file.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/riscv/kernel/machine_kexec_file.c b/arch/riscv/kernel/machine_kexec_file.c
index 3f7766057cac..f3576dc0513f 100644
--- a/arch/riscv/kernel/machine_kexec_file.c
+++ b/arch/riscv/kernel/machine_kexec_file.c

@@ -48,6 +48,9 @@ static int prepare_elf64_ram_headers_callback(struct resource *res, void *arg)
 {
 	struct crash_mem *cmem = arg;
 
+	if (unlikely(cmem->nr_ranges >= cmem->max_nr_ranges))
+		return -EAGAIN;
+
 	cmem->ranges[cmem->nr_ranges].start = res->start;
 	cmem->ranges[cmem->nr_ranges].end = res->end;
 	cmem->nr_ranges++;

@@ -61,7 +64,8 @@ static int prepare_elf_headers(void **addr, unsigned long *sz)
 	unsigned int nr_ranges;
 	int ret;
 
-	nr_ranges = 2; /* For exclusion of crashkernel region */
+	/* For exclusion of crashkernel region */
+	nr_ranges = 2 + CRASH_HOTPLUG_SAFETY_PADDING;
 	walk_system_ram_res(0, -1, &nr_ranges, get_nr_ram_ranges_callback);
 
 	cmem = kmalloc_flex(*cmem, ranges, nr_ranges);

-- 
2.34.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help