On Mon, Jun 22, 2026 at 11:57:44PM +0530, Mukesh Ojha wrote:
> On Sun, Jun 21, 2026 at 08:57:44AM +0800, XIAO WU wrote:
> > i Mukesh,
> >
> > I came across a Sashiko AI code review [1] that flagged a pre-existing
> > integer signedness bug in `rsc_table_for_each_entry()` in
> > include/linux/rsc_table.h. The `offset` variable is declared as `int`,
> > allowing a large unsigned offset value (e.g., 0xFFFFFFF0) to become
> > negative, bypass the `avail < 0` truncation check due to size_t
> > promotion, and read from before the resource table buffer.
> >
> > I was able to reproduce this in QEMU with KASAN by crafting an ELF
> > firmware image with a malicious resource table offset.
> >
> > On Wed, Jun 11, 2026 at 11:35:50PM +0530, Mukesh Ojha wrote:
> > > remoteproc: fix coding style issues in remoteproc.h
> > ...
> >
> > The bug is in the `rsc_table_for_each_entry()` macro further down in
> > rsc_table.h:
> >
> > ```c
> > for (i = 0; i < table->num; i++) {
> > int offset = table->offset[i]; // signed — attacker-controlled
> > struct fw_rsc_hdr *hdr = (void *)table + offset;
> > int avail = table_sz - offset - sizeof(*hdr);
> > ...
> > if (avail < 0) { ... } // bypassed via size_t promotion
> > ```
> >
> > If `table->offset[i]` is 0xFFFFFFF0, `offset` becomes -16 (signed).
> > When `avail = table_sz - (-16) - sizeof(*hdr)` is computed, the
> > negative `offset` is promoted to a large unsigned size_t, making
> > `avail` overflow to a small positive value. The `avail < 0` check
> > passes, and `hdr` points 16 bytes *before* the table buffer.
> >
> > [Reproduction]
> >
> > I compiled a fake ELF firmware with phnum=1 and a resource table whose
> > first offset entry is 0xFFFFFFF0. Writing "boot" to the remoteproc
> > sysfs state file triggers the resource parsing path:
> >
> > state_store → rproc_boot → rproc_fw_boot → rproc_parse_fw
> > → rproc_handle_resources → rsc_table_for_each_entry
> >
> > [KASAN report — kernel 7.1.0-rc6+, CONFIG_KASAN=y]
> >
> > ==================================================================
> > BUG: KASAN: slab-out-of-bounds in
> > rproc_handle_resources.constprop.0+0x49b/0x510
> > Read of size 4 at addr ffff888031283790 by task poc/9573
> >
> > The buggy address belongs to the object at ffff8880312837a0
> > which belongs to the cache kmalloc-32 of size 32
> > The buggy address is located 16 bytes to the left of
> > allocated 20-byte region [ffff8880312837a0, ffff8880312837b4)
> >
> > Call Trace:
> > <TASK>
> > dump_stack_lvl+0x116/0x1f0
> > print_report+0xcd/0x630
> > kasan_report+0xe0/0x110
> > rproc_handle_resources.constprop.0+0x49b/0x510
> > rproc_boot+0x.../...
> > state_store+0x.../...
> > dev_attr_store+0x.../...
> > sysfs_kf_write+0x.../...
> > kernfs_fop_write_iter+0x.../...
> > vfs_write+0x.../...
> > ksys_write+0x.../...
> > do_syscall_64+0xcd/0xf80
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > The crash reads 4 bytes (the hdr->type field) from 16 bytes before the
> > kmemdup'd resource table buffer. The value read is 0xCCCCCCCC
> > (uninitialized kmalloc poison), confirming the negative offset bypassed
> > all bounds checks.
> >
> > [1]
> > https://sashiko.dev/#/patchset/20260611180550.2442641-3-mukesh.ojha%40oss.qualcomm.com
> > (Sashiko AI code review — "Out-of-Bounds Access", Severity: Critical)
> >
>
> Let me check and get back on this.., this looks to be existing bug.
> Thanks for reporting this.
This should fix this existing issue
https://lore.kernel.org/lkml/[email protected]/
>
> -Mukesh
> >
> >
>
> --
> -Mukesh Ojha
--
-Mukesh Ojha