Re: CVE-2023-52823: kernel: kexec: copy user-array safely

From: Greg Kroah-Hartman
Date: Fri May 24 2024 - 06:15:56 EST


On Fri, May 24, 2024 at 12:02:10PM +0200, Jiri Bohac wrote:
> On Tue, May 21, 2024 at 05:31:59PM +0200, Greg Kroah-Hartman wrote:
> > kernel: kexec: copy user-array safely
> >
> > Currently, there is no overflow-check with memdup_user().
>
> This is false.
> Therefore, I'd like to dispute this CVE.
>
> The overflow check is in the kexec_load_check()
> function called shortly before the memdup_user() call:
>
>
> SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
> struct kexec_segment __user *, segments, unsigned long, flags)
> {
> result = kexec_load_check(nr_segments, flags);
> if (result)
> return result;
> ...
> ksegments = memdup_user(segments, nr_segments * sizeof(ksegments[0]));
> ...
> }
>
> #define KEXEC_SEGMENT_MAX 16
> static inline int kexec_load_check(unsigned long nr_segments,
> unsigned long flags)
> {
> ...
> if (nr_segments > KEXEC_SEGMENT_MAX)
> return -EINVAL;
> }

Nice, but then why was this commit worded this way? Now we check twice?
Double safe? Should it be reverted?

I'll go revoke this, thanks for the review!

greg k-h