[PATCHv6 13/13] tools/kexec: Add a zboot image building tool

bot+bpf-ci at kernel.org bot+bpf-ci at kernel.org
Mon Jan 19 10:45:38 PST 2026 

> diff --git a/tools/kexec/pe.h b/tools/kexec/pe.h
> new file mode 100644
> index 000000000000..c2273d3fc3bb
> --- /dev/null
> +++ b/tools/kexec/pe.h

[ ... ]

> +/*
> + * Return -1 if not PE, else offset of the PE header
> + */
> +static int get_pehdr_offset(const char *buf)
> +{
> +	int pe_hdr_offset;
> +
> +	pe_hdr_offset = *((int *)(buf + 0x3c));
> +	buf += pe_hdr_offset;
> +	if (!!memcmp(buf, "PE\0\0", 4)) {
> +		printf("Not a PE file\n");
> +		return -1;
> +	}
> +
> +	return pe_hdr_offset;
> +}

This function returns int and can return -1 on error, but the caller stores
the result in a uint32_t without checking for errors (see below).

> diff --git a/tools/kexec/zboot_image_builder.c b/tools/kexec/zboot_image_builder.c
> new file mode 100644
> index 000000000000..c0a785074970
> --- /dev/null
> +++ b/tools/kexec/zboot_image_builder.c

[ ... ]

> +int main(int argc, char **argv)
> +{
> +	uint32_t payload_new_offset, payload_sect_off;
> +	uint32_t payload_size;
> +	uint32_t payload_sect_idx;
                 ^^^^^^^^^^^^^^^^

Are payload_sect_idx and payload_sect_off intentionally left uninitialized
here?  If the loop below never finds a matching section, these variables
will contain garbage values.

[ ... ]

> +	uint32_t pe_hdr_offset = get_pehdr_offset((const char *)base_start_addr);
> +	base_cur = base_start_addr + pe_hdr_offset;

Is there a missing check for the return value of get_pehdr_offset()?  The
function returns -1 on error (printing "Not a PE file"), but this code
stores it in a uint32_t and uses it directly.  If get_pehdr_offset()
returns -1, pe_hdr_offset becomes 0xFFFFFFFF, and base_cur will point far
past the mapped region.

[ ... ]

> +	/* Decide the section idx and the payload offset within the section */
> +	for (i = 0; i < num_sections; i++) {
> +	    sect = &base_sections[i];
> +	    if (zheader->payload_offset >= sect->data_addr &&
> +		zheader->payload_offset < (sect->data_addr + sect->raw_data_size)) {
> +		    payload_sect_idx = i;
> +		    payload_sect_off = zheader->payload_offset - sect->data_addr;
> +	    }
> +	}

If the condition is never true (payload_offset not within any section),
payload_sect_idx and payload_sect_off remain uninitialized.  They are used
later in:

    payload_new_offset = new_sections[payload_sect_idx].data_addr + payload_sect_off;

Could this cause undefined behavior with a malformed input file?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21147860407

More information about the kexec mailing list