lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20260130084615.357435-1-me@linux.beauty>
Date: Fri, 30 Jan 2026 16:46:15 +0800
From: Li Chen <me@...ux.beauty>
To: Pasha Tatashin <pasha.tatashin@...een.com>,
	Mike Rapoport <rppt@...nel.org>,
	Pratyush Yadav <pratyush@...nel.org>,
	linux-kernel@...r.kernel.org
Cc: Li Chen <me@...ux.beauty>
Subject: [PATCH v1] liveupdate: sanitize incoming session count

luo_session_deserialize() iterates incoming sessions using
luo_session_header_ser::count. The header physical address is provided by
the previous kernel via the KHO FDT node.

If the header is corrupted, count may become arbitrarily large and the new
kernel can read past the preserved session array (sh->ser[i]). This is an
OOB read that can crash or hang early boot.

This can happen if the FDT node is corrupted or mis-parsed and points to a
wrong header address, if stale/incompatible handover data is interpreted
with the wrong layout, or if the preserved region is scribbled by memory
corruption or DMA after kexec.

Clamp the incoming count to LUO_SESSION_MAX before iterating.

Signed-off-by: Li Chen <me@...ux.beauty>
---
 kernel/liveupdate/luo_session.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
index dbdbc3bd7929..9d6c3ad990d9 100644
--- a/kernel/liveupdate/luo_session.c
+++ b/kernel/liveupdate/luo_session.c
@@ -515,6 +515,7 @@ int luo_session_deserialize(void)
 	struct luo_session_header *sh = &luo_session_global.incoming;
 	static bool is_deserialized;
 	static int err;
+	u64 count;
 
 	/* If has been deserialized, always return the same error code */
 	if (is_deserialized)
@@ -524,6 +525,13 @@ int luo_session_deserialize(void)
 	if (!sh->active)
 		return 0;
 
+	count = sh->header_ser->count;
+	if (count > LUO_SESSION_MAX) {
+		pr_warn("incoming session count %llu exceeds max %lu\n",
+			count, LUO_SESSION_MAX);
+		count = LUO_SESSION_MAX;
+	}
+
 	/*
 	 * Note on error handling:
 	 *
@@ -539,7 +547,7 @@ int luo_session_deserialize(void)
 	 * userspace to detect the failure and trigger a reboot, which will
 	 * reliably reset devices and reclaim memory.
 	 */
-	for (int i = 0; i < sh->header_ser->count; i++) {
+	for (u64 i = 0; i < count; i++) {
 		struct luo_session *session;
 
 		session = luo_session_alloc(sh->ser[i].name);
-- 
2.52.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ