[PATCH 2/2] x86/boot/compressed/kaslr: validate indirect setup_data payloads

Next message: Pengpeng Hou: "[PATCH 1/2] x86/setup_data: validate indirect entry sizes before dereferencing them"
Previous message: Pengpeng Hou: "[PATCH] rxrpc/proc: size address buffers for %pISpc output"
In reply to: Pengpeng Hou: "[PATCH 1/2] x86/setup_data: validate indirect entry sizes before dereferencing them"
Next in thread: Borislav Petkov: "Re: [PATCH 1/2] x86/setup_data: validate indirect entry sizes before dereferencing them"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Sat Apr 04 2026 - 09:56:02 EST

mem_avoid_overlap() checks SETUP_INDIRECT entries in the boot-time
setup_data chain and reads an embedded struct setup_indirect directly from
ptr->data.

If ptr->len is smaller than sizeof(struct setup_indirect), that access can
run past the setup_data payload before compressed x86 boot has finished
walking the list.

Require the indirect payload to be large enough before dereferencing it.
Short entries are still covered by the outer setup_data avoidance range, so
this only drops the unsafe embedded-header walk.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
arch/x86/boot/compressed/kaslr.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 3b0948ad449f..1205ea588431 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -432,6 +432,7 @@ static bool mem_avoid_overlap(struct mem_vector *img,
}

if (ptr->type == SETUP_INDIRECT &&
+ ptr->len >= sizeof(struct setup_indirect) &&
((struct setup_indirect *)ptr->data)->type != SETUP_INDIRECT) {
avoid.start = ((struct setup_indirect *)ptr->data)->addr;
avoid.size = ((struct setup_indirect *)ptr->data)->len;
--
2.50.1 (Apple Git-155)