> diff --git a/tools/kexec/pe.h b/tools/kexec/pe.h
> new file mode 100644
> index 000000000000..c2273d3fc3bb
> --- /dev/null
> +++ b/tools/kexec/pe.h
[ ... ]
> +/*
> + * Return -1 if not PE, else offset of the PE header
> + */
> +static int get_pehdr_offset(const char *buf)
> +{
> + int pe_hdr_offset;
> +
> + pe_hdr_offset = *((int *)(buf + 0x3c));
> + buf += pe_hdr_offset;
> + if (!!memcmp(buf, "PE\0\0", 4)) {
> + printf("Not a PE file\n");
> + return -1;
> + }
> +
> + return pe_hdr_offset;
> +}
This function returns int and can return -1 on error, but the caller stores
the result in a uint32_t without checking for errors (see below).
> diff --git a/tools/kexec/zboot_image_builder.c
> b/tools/kexec/zboot_image_builder.c
> new file mode 100644
> index 000000000000..c0a785074970
> --- /dev/null
> +++ b/tools/kexec/zboot_image_builder.c
[ ... ]
> +int main(int argc, char **argv)
> +{
> + uint32_t payload_new_offset, payload_sect_off;
> + uint32_t payload_size;
> + uint32_t payload_sect_idx;
^^^^^^^^^^^^^^^^
Are payload_sect_idx and payload_sect_off intentionally left uninitialized
here? If the loop below never finds a matching section, these variables
will contain garbage values.
[ ... ]
> + uint32_t pe_hdr_offset = get_pehdr_offset((const char
> *)base_start_addr);
> + base_cur = base_start_addr + pe_hdr_offset;
Is there a missing check for the return value of get_pehdr_offset()? The
function returns -1 on error (printing "Not a PE file"), but this code
stores it in a uint32_t and uses it directly. If get_pehdr_offset()
returns -1, pe_hdr_offset becomes 0xFFFFFFFF, and base_cur will point far
past the mapped region.
[ ... ]
> + /* Decide the section idx and the payload offset within the section */
> + for (i = 0; i < num_sections; i++) {
> + sect = &base_sections[i];
> + if (zheader->payload_offset >= sect->data_addr &&
> + zheader->payload_offset < (sect->data_addr +
> sect->raw_data_size)) {
> + payload_sect_idx = i;
> + payload_sect_off = zheader->payload_offset -
> sect->data_addr;
> + }
> + }
If the condition is never true (payload_offset not within any section),
payload_sect_idx and payload_sect_off remain uninitialized. They are used
later in:
payload_new_offset = new_sections[payload_sect_idx].data_addr +
payload_sect_off;
Could this cause undefined behavior with a malformed input file?
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21147860407
