[PATCHv6 12/13] tools/kexec: Introduce a bpf-prog to parse zboot image format
bot+bpf-ci at kernel.org
bot+bpf-ci at kernel.org
Mon Jan 19 10:45:40 PST 2026
> diff --git a/tools/kexec/zboot_parser_bpf.c b/tools/kexec/zboot_parser_bpf.c
> new file mode 100644
> index 000000000000..54c4b762b332
> --- /dev/null
> +++ b/tools/kexec/zboot_parser_bpf.c
[ ... ]
> +/* see drivers/firmware/efi/libstub/zboot-header.S */
> +struct linux_pe_zboot_header {
> + unsigned int mz_magic;
> + char image_type[4];
> + unsigned int payload_offset;
> + unsigned int payload_size;
> + unsigned int reserved[2];
> + char comp_type[4];
> + unsigned int linux_pe_magic;
> + unsigned int pe_header_offset;
> +} __attribute__((packed));
[ ... ]
> + unsigned int payload_offset = zboot_header->payload_offset;
> + unsigned int payload_size = zboot_header->payload_size;
> + bpf_printk("zboot image payload offset=0x%x, size=0x%x\n", payload_offset, payload_size);
> + /* sane check */
> + if (payload_size > image_sz) {
> + bpf_ringbuf_discard(buf, BPF_RB_NO_WAKEUP);
> + bpf_printk("Invalid zboot image payload offset and size\n");
> + return 0;
> + }
Should this bounds check also verify that payload_offset + payload_size
does not exceed image_sz? The current check only validates that payload_size
fits, but if payload_offset is large (e.g., near image_sz), the read below
could extend past the end of the kernel buffer.
For example, with payload_offset = image_sz - 10 and payload_size = 100,
the check "payload_size > image_sz" passes, but the bpf_probe_read below
would read 90 bytes past the valid buffer boundary.
> + unsigned int max_payload = MAX_RECORD_SIZE - sizeof(struct cmd_hdr);
> + if (payload_size >= max_payload) {
> + bpf_ringbuf_discard(buf, BPF_RB_NO_WAKEUP);
> + bpf_printk("Err: payload_size > MAX_RECORD_SIZE\n");
> + return 0;
> + }
> + void *dst = (void *)buf + sizeof(struct cmd_hdr);
> + /* Overwrite buf */
> + struct cmd_hdr *cmd = (struct cmd_hdr *)buf;
> + cmd->cmd = KEXEC_BPF_CMD_DECOMPRESS;
> + cmd->subcmd = KEXEC_BPF_SUBCMD_KERNEL;
> + /* 4 bytes original size is appended after vmlinuz.bin */
> + cmd->payload_len = payload_size - 4;
> + bpf_probe_read(dst, payload_size, context->kernel + payload_offset);
^^^^^^^^^^^^^^^
This is where the out-of-bounds read could occur if payload_offset +
payload_size > image_sz. While bpf_probe_read is safe and will not crash
(it uses copy_from_kernel_nofault internally), it could read from adjacent
kernel memory if the zboot header contains invalid offset/size values.
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21147860407
More information about the kexec
mailing list