| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aQHUyyFtiNZhx8jo@kernel.org>
Date: Wed, 29 Oct 2025 10:48:11 +0200
From: Mike Rapoport <rppt@...nel.org>
To: Pasha Tatashin <pasha.tatashin@...een.com>
Cc: akpm@...ux-foundation.org, brauner@...nel.org, corbet@....net,
graf@...zon.com, jgg@...pe.ca, linux-kernel@...r.kernel.org,
linux-kselftest@...r.kernel.org, linux-mm@...ck.org,
masahiroy@...nel.org, ojeda@...nel.org, pratyush@...nel.org,
rdunlap@...radead.org, tj@...nel.org, jasonmiu@...gle.com,
dmatlack@...gle.com, skhawaja@...gle.com
Subject: Re: [PATCH v3 1/3] liveupdate: kho: warn and fail on metadata or
preserved memory in scratch area
Hi Pasha,
On Mon, Oct 20, 2025 at 08:08:50PM -0400, Pasha Tatashin wrote:
> It is invalid for KHO metadata or preserved memory regions to be located
> within the KHO scratch area, as this area is overwritten when the next
> kernel is loaded, and used early in boot by the next kernel. This can
> lead to memory corruption.
>
> Adds checks to kho_preserve_* and KHO's internal metadata allocators
> (xa_load_or_alloc, new_chunk) to verify that the physical address of the
> memory does not overlap with any defined scratch region. If an overlap
> is detected, the operation will fail and a WARN_ON is triggered. To
> avoid performance overhead in production kernels, these checks are
> enabled only when CONFIG_KEXEC_HANDOVER_DEBUG is selected.
>
> Signed-off-by: Pasha Tatashin <pasha.tatashin@...een.com>
> ---
> kernel/Kconfig.kexec | 9 ++++++
> kernel/Makefile | 1 +
> kernel/kexec_handover.c | 53 ++++++++++++++++++++++----------
> kernel/kexec_handover_debug.c | 25 +++++++++++++++
> kernel/kexec_handover_internal.h | 16 ++++++++++
> 5 files changed, 87 insertions(+), 17 deletions(-)
> create mode 100644 kernel/kexec_handover_debug.c
> create mode 100644 kernel/kexec_handover_internal.h
>
> diff --git a/kernel/Kconfig.kexec b/kernel/Kconfig.kexec
> index 422270d64820..c94d36b5fcd9 100644
> --- a/kernel/Kconfig.kexec
> +++ b/kernel/Kconfig.kexec
> @@ -109,6 +109,15 @@ config KEXEC_HANDOVER
> to keep data or state alive across the kexec. For this to work,
> both source and target kernels need to have this option enabled.
>
> +config KEXEC_HANDOVER_DEBUG
> + bool "Enable Kexec Handover debug checks"
> + depends on KEXEC_HANDOVER_DEBUGFS
I missed that in the earlier review, should be "depends on KEXEC_HANDOVER"
@Andrew, can you please fold this into what's now commit 0e0faeffd144
("kho: warn and fail on metadata or preserved memory in scratch area")
diff --git a/kernel/Kconfig.kexec b/kernel/Kconfig.kexec
index c94d36b5fcd9..54e581072617 100644
--- a/kernel/Kconfig.kexec
+++ b/kernel/Kconfig.kexec
@@ -111,7 +111,7 @@ config KEXEC_HANDOVER
config KEXEC_HANDOVER_DEBUG
bool "Enable Kexec Handover debug checks"
- depends on KEXEC_HANDOVER_DEBUGFS
+ depends on KEXEC_HANDOVER
help
This option enables extra sanity checks for the Kexec Handover
subsystem. Since, KHO performance is crucial in live update
> + help
> + This option enables extra sanity checks for the Kexec Handover
> + subsystem. Since, KHO performance is crucial in live update
> + scenarios and the extra code might be adding overhead it is
> + only optionally enabled.
> +
> config CRASH_DUMP
> bool "kernel crash dumps"
> default ARCH_DEFAULT_CRASH_DUMP
--
Sincerely yours,
Mike.
Powered by blists - more mailing lists