The quilt patch titled
Subject: x86/crash: fix potential cmem->ranges array overflow
has been removed from the -mm tree. Its filename was
x86-crash-fix-potential-cmem-ranges-array-overflow.patch
This patch was dropped because it is obsolete
------------------------------------------------------
From: Yuntao Wang <ytcoode@xxxxxxxxx>
Subject: x86/crash: fix potential cmem->ranges array overflow
Date: Mon, 18 Dec 2023 16:19:14 +0800
The max_nr_ranges field of cmem allocated in crash_setup_memmap_entries()
is not initialized, its default value is 0.
When elfcorehdr is allocated from the middle of crashk_res due to any
potential reason, that is, `image->elf_load_addr > crashk_res.start &&
image->elf_load_addr + image->elf_headers_sz - 1 < crashk_res.end`,
executing memmap_exclude_ranges() will cause a range split to occur in
crash_exclude_mem_range(), which eventually leads to an overflow of the
cmem->ranges array.
Set cmem->max_nr_ranges to 1 to make crash_exclude_mem_range() return
-ENOMEM instead of causing cmem->ranges array overflow even when a split
happens.
Link: https://lkml.kernel.org/r/20231218081915.24120-2-ytcoode@xxxxxxxxx
Signed-off-by: Yuntao Wang <ytcoode@xxxxxxxxx>
Cc: Borislav Petkov (AMD) <bp@xxxxxxxxx>
Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
Cc: Dave Young <dyoung@xxxxxxxxxx>
Cc: Hari Bathini <hbathini@xxxxxxxxxxxxx>
Cc: "H. Peter Anvin" <hpa@xxxxxxxxx>
Cc: Ingo Molnar <mingo@xxxxxxxxxx>
Cc: Sean Christopherson <seanjc@xxxxxxxxxx>
Cc: Takashi Iwai <tiwai@xxxxxxx>
Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Vivek Goyal <vgoyal@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
arch/x86/kernel/crash.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/arch/x86/kernel/crash.c~x86-crash-fix-potential-cmem-ranges-array-overflow
+++ a/arch/x86/kernel/crash.c
@@ -282,10 +282,6 @@ int crash_setup_memmap_entries(struct ki
struct crash_memmap_data cmd;
struct crash_mem *cmem;
- cmem = vzalloc(struct_size(cmem, ranges, 1));
- if (!cmem)
- return -ENOMEM;
-
memset(&cmd, 0, sizeof(struct crash_memmap_data));
cmd.params = params;
@@ -321,6 +317,11 @@ int crash_setup_memmap_entries(struct ki
}
/* Exclude some ranges from crashk_res and add rest to memmap */
+ cmem = vzalloc(struct_size(cmem, ranges, 1));
+ if (!cmem)
+ return -ENOMEM;
+ cmem->max_nr_ranges = 1;
+
ret = memmap_exclude_ranges(image, cmem, crashk_res.start, crashk_res.end);
if (ret)
goto out;
_
Patches currently in -mm which might be from ytcoode@xxxxxxxxx are
x86-crash-remove-the-unused-image-parameter-from-prepare_elf_headers.patch
x86-crash-use-sz_1m-macro-instead-of-hardcoded-value.patch
crash_core-fix-and-simplify-the-logic-of-crash_exclude_mem_range.patch
crash_core-optimize-crash_exclude_mem_range.patch
