| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2vxzjywku3u1.fsf@kernel.org> Date: Tue, 10 Feb 2026 14:26:46 +0100 From: Pratyush Yadav <pratyush@...nel.org> To: Li Chen <me@...ux.beauty> Cc: Pasha Tatashin <pasha.tatashin@...een.com>, Mike Rapoport <rppt@...nel.org>, Pratyush Yadav <pratyush@...nel.org>, linux-kernel@...r.kernel.org Subject: Re: [PATCH v1] liveupdate: sanitize incoming session count Hi Li, On Fri, Jan 30 2026, Li Chen wrote: > luo_session_deserialize() iterates incoming sessions using > luo_session_header_ser::count. The header physical address is provided by > the previous kernel via the KHO FDT node. > > If the header is corrupted, count may become arbitrarily large and the new > kernel can read past the preserved session array (sh->ser[i]). This is an > OOB read that can crash or hang early boot. > > This can happen if the FDT node is corrupted or mis-parsed and points to a > wrong header address, if stale/incompatible handover data is interpreted > with the wrong layout, or if the preserved region is scribbled by memory > corruption or DMA after kexec. If the header is corrupted, won't the FDT magic checks fail when doing any of the FDT operations like getting the compatible? Or perhaps we should call fdt_check_header() in luo_early_startup()? I think the sanity check might still be a useful thing, but I'd like to clarify _why_ we are doing this. > > Clamp the incoming count to LUO_SESSION_MAX before iterating. > > Signed-off-by: Li Chen <me@...ux.beauty> [...] -- Regards, Pratyush Yadav
Powered by blists - more mailing lists