A NULL pointer dereference issue is noticed in riscv's machine_kexec_prepare,
where image->segment[i].buf might be NULL and copied unchecked.
The NULL buf comes from security/integrity/ima/ima_kexec.c:
ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(),
but kbuf.buffer is NULL.
Fix this by simply adding a check before copy.
Fixes: b7fb4d78a6ad ("RISC-V: use memcpy for kexec_file mode")
Acked-by: Baoquan He <[email protected]>
Acked-by: Pratyush Yadav <[email protected]>
Signed-off-by: Tao Liu <[email protected]>
---
v3 -> v2: Add fixes tag; Replace "reference" to "dereference".
link to v2:
https://lore.kernel.org/linux-riscv/[email protected]/
link to v1:
https://lore.kernel.org/linux-riscv/[email protected]/
---
arch/riscv/kernel/machine_kexec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/arch/riscv/kernel/machine_kexec.c
b/arch/riscv/kernel/machine_kexec.c
index 2306ce3e5f22..afc68f6a4aa1 100644
--- a/arch/riscv/kernel/machine_kexec.c
+++ b/arch/riscv/kernel/machine_kexec.c
@@ -41,6 +41,13 @@ machine_kexec_prepare(struct kimage *image)
if (image->segment[i].memsz <= sizeof(fdt))
continue;
+ /*
+ * Some segments (e.g. IMA) reserve space but have no buffer
+ * loaded yet. Skip them as they cannot contain an FDT.
+ */
+ if (image->segment[i].buf == NULL)
+ continue;
+
if (image->file_mode)
memcpy(&fdt, image->segment[i].buf, sizeof(fdt));
else if (copy_from_user(&fdt, image->segment[i].buf,
sizeof(fdt)))
--
2.54.0