On 7/1/2026 10:57 AM, Tao Liu wrote:
A NULL pointer dereference issue is noticed in riscv's machine_kexec_prepare,
where image->segment[i].buf might be NULL and copied unchecked.

The NULL buf comes from security/integrity/ima/ima_kexec.c:
ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(),
but kbuf.buffer is NULL.

Fix this by simply adding a check before copy.

Fixes: b7fb4d78a6ad ("RISC-V: use memcpy for kexec_file mode")
Acked-by: Baoquan He <[email protected]>
Acked-by: Pratyush Yadav <[email protected]>
Signed-off-by: Tao Liu <[email protected]>
It would be better to add the log of the dereference calltrace.
Otherwise,
Reviewed-by: Nutty Liu <[email protected]>

Thanks,
Nutty
---

v3 -> v2: Add fixes tag; Replace "reference" to "dereference".
link to v2: 
https://lore.kernel.org/linux-riscv/[email protected]/
link to v1: 
https://lore.kernel.org/linux-riscv/[email protected]/

---
  arch/riscv/kernel/machine_kexec.c | 7 +++++++
  1 file changed, 7 insertions(+)

diff --git a/arch/riscv/kernel/machine_kexec.c 
b/arch/riscv/kernel/machine_kexec.c
index 2306ce3e5f22..afc68f6a4aa1 100644
--- a/arch/riscv/kernel/machine_kexec.c
+++ b/arch/riscv/kernel/machine_kexec.c
@@ -41,6 +41,13 @@ machine_kexec_prepare(struct kimage *image)
                if (image->segment[i].memsz <= sizeof(fdt))
                        continue;
+ /*
+                * Some segments (e.g. IMA) reserve space but have no buffer
+                * loaded yet. Skip them as they cannot contain an FDT.
+                */
+               if (image->segment[i].buf == NULL)
+                       continue;
+
                if (image->file_mode)
                        memcpy(&fdt, image->segment[i].buf, sizeof(fdt));
                else if (copy_from_user(&fdt, image->segment[i].buf, 
sizeof(fdt)))

Reply via email to