[PATCH v15 11/23] x86: kexec_file: Fix TOCTOU buffer overflow via memory region padding

Mon, 01 Jun 2026 02:50:27 -0700 

Sashiko AI code review pointed out there is a TOCTOU (Time-of-Check to
Time-of-Use) race condition in prepare_elf_headers() between the initial
pass that counts System RAM ranges and the second pass that populates them.
If a memory hotplug event occurs between these two steps, the number of
memory regions may increase, causing an out-of-bounds write to
the cmem->ranges[] array.

Fix this fundamentally by using `CRASH_HOTPLUG_SAFETY_PADDING`(128 slots)
to expand the flexible array allocation ceiling upfront. This safely
absorbs any concurrent memory region expansion. Concurrently, add
a defensive boundary check inside the callback to return -EAGAIN
on unexpected overrun, fully eradicating the overflow window and ensuring
system stability.

Cc: AKASHI Takahiro <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Ingo Molnar <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: "H. Peter Anvin" <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Baoquan He <[email protected]>
Cc: Mike Rapoport <[email protected]>
Cc: [email protected]
Fixes: 8d5f894a3108 ("x86: kexec_file: lift CRASH_MAX_RANGES limit on crash_mem 
buffer")
Signed-off-by: Jinjie Ruan <[email protected]>
---
 arch/x86/kernel/crash.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c
index cd796818d94d..a1089907728d 100644
--- a/arch/x86/kernel/crash.c
+++ b/arch/x86/kernel/crash.c
@@ -177,7 +177,7 @@ static struct crash_mem *fill_up_crash_elf_data(void)
         * But in order to lest the low 1M could be changed in the future,
         * (e.g. [start, 1M]), add a extra slot.
         */
-       nr_ranges += 3 + crashk_cma_cnt;
+       nr_ranges += 3 + crashk_cma_cnt + CRASH_HOTPLUG_SAFETY_PADDING;
        cmem = vzalloc(struct_size(cmem, ranges, nr_ranges));
        if (!cmem)
                return NULL;
@@ -226,6 +226,9 @@ static int prepare_elf64_ram_headers_callback(struct 
resource *res, void *arg)
 {
        struct crash_mem *cmem = arg;
 
+       if (unlikely(cmem->nr_ranges >= cmem->max_nr_ranges))
+               return -EAGAIN;
+
        cmem->ranges[cmem->nr_ranges].start = res->start;
        cmem->ranges[cmem->nr_ranges].end = res->end;
        cmem->nr_ranges++;
-- 
2.34.1

Reply via email to