On Wed, Jul 01, 2026 at 02:57:33PM +1200, Tao Liu wrote:
> A NULL pointer dereference issue is noticed in riscv's machine_kexec_prepare,
> where image->segment[i].buf might be NULL and copied unchecked.
>
> The NULL buf comes from security/integrity/ima/ima_kexec.c:
> ima_add_kexec_buffer(), where kbuf is added by kexec_add_buffer(),
> but kbuf.buffer is NULL
This should have a proper call sequence. Now the root cause is
obfuscated.
>
> Fix this by simply adding a check before copy.
>
> Fixes: b7fb4d78a6ad ("RISC-V: use memcpy for kexec_file mode")
> Acked-by: Baoquan He <[email protected]>
> Acked-by: Pratyush Yadav <[email protected]>
> Signed-off-by: Tao Liu <[email protected]>
> ---
>
> v3 -> v2: Add fixes tag; Replace "reference" to "dereference".
> link to v2:
> https://lore.kernel.org/linux-riscv/[email protected]/
> link to v1:
> https://lore.kernel.org/linux-riscv/[email protected]/
>
> ---
> arch/riscv/kernel/machine_kexec.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/arch/riscv/kernel/machine_kexec.c
> b/arch/riscv/kernel/machine_kexec.c
> index 2306ce3e5f22..afc68f6a4aa1 100644
> --- a/arch/riscv/kernel/machine_kexec.c
> +++ b/arch/riscv/kernel/machine_kexec.c
> @@ -41,6 +41,13 @@ machine_kexec_prepare(struct kimage *image)
> if (image->segment[i].memsz <= sizeof(fdt))
> continue;
>
> + /*
> + * Some segments (e.g. IMA) reserve space but have no buffer
> + * loaded yet. Skip them as they cannot contain an FDT.
> + */
This is destined to rot over time. It also adds up also potentially to
the backporting effort while backporting to stable kernes. And most
importantly. Please, don't document every other null check.
> + if (image->segment[i].buf == NULL)
if (!image->segments[i].buf)
> + continue;
> +
> if (image->file_mode)
> memcpy(&fdt, image->segment[i].buf, sizeof(fdt));
> else if (copy_from_user(&fdt, image->segment[i].buf,
> sizeof(fdt)))
> --
> 2.54.0
>
>
BR, Jarkko