Re: [PATCH 1/2] x86/setup_data: validate indirect entry sizes before dereferencing them

Next message: syzbot: "Forwarded: [PATCH] ath9k: defer reg_in URB resubmission to workqueue to fix RCU stall"
Previous message: Pengpeng Hou: "Re: [PATCH] arm64: pi: validate bootargs before parsing them"
In reply to: Borislav Petkov: "Re: [PATCH 1/2] x86/setup_data: validate indirect entry sizes before dereferencing them"
Next in thread: Borislav Petkov: "Re: [PATCH 1/2] x86/setup_data: validate indirect entry sizes before dereferencing them"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Sat Apr 04 2026 - 22:17:08 EST

Hi Boris,

Because the failure mode here is not just “the bootloader passed nonsense” in
a semantic sense; the current code can dereference past the mapped payload of
a malformed `SETUP_INDIRECT` entry.

The affected paths first read the outer `struct setup_data` header, and then
some of them treat `data->len` as though it always covers a full
`struct setup_indirect`. If `data->len` is short, or wraps when
`sizeof(struct setup_data) + data->len` is computed, the kernel can remap or
reserve less than a full indirect header and still read `indirect->type`,
`addr`, or `len` beyond that range.

So the thing I was trying to harden is not “make every bad setup_data entry
boot successfully”; it is “do not turn malformed boot metadata into a kernel
OOB read while walking setup_data”.

I think that is worth handling because `setup_data` is still external boot
input to the kernel. It can come not only from a normal bootloader path, but
also from kexec-style handoff and virtualized boot flows.

The intended fallback here is narrow and local: if an indirect entry is
malformed, keep treating the outer `setup_data` payload as opaque instead of
walking the embedded header. That way we avoid the out-of-bounds read without
trying to make malformed metadata otherwise “work”.

Thanks,
Pengpeng