From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com [209.85.208.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D5BCF396B69 for ; Fri, 27 Mar 2026 13:16:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=209.85.208.41 ARC-Seal:i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774617419; cv=pass; b=e0DwctfnsCTEv9SDRds7Edco9zBxmmjRjYc+ceuFcrNir4iJoYA/a94sIzE9/kxrzb7rJQ96ApQ6DM4dTdy2wtOvJDpSYSc8lvuZCoV0iH7HSU9JrWd3JLmWKVkFa9M0IRLNaIh4z23YUJOfmY3fjZ/uFccSVpnJ07Af7nw9/Lo= ARC-Message-Signature:i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774617419; c=relaxed/simple; bh=sHKvyyue9vVsh9BzgvLO5dLQ9tBQm75RPX9s7+ZbQqk=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Content-Type; b=Cn6puabSZuU++Xn2mPZioHuuSBK6vkdb8EqfUdb30X5xFzwiQi6h1wGMSUSxOJon2nm1DXbLCLRcYfAWoBg/wTlolHBO9WjgPBboUQ+LtqxhxImBqSjj44hpd+P6HLcFMOPmnyBBqqH9zWVYyF2iUfxLN5SzstgJhDGJIMXwEjc= ARC-Authentication-Results:i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=soleen.com; spf=pass smtp.mailfrom=soleen.com; dkim=pass (2048-bit key) header.d=soleen.com header.i=@soleen.com header.b=MvHfzNJy; arc=pass smtp.client-ip=209.85.208.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=soleen.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=soleen.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=soleen.com header.i=@soleen.com header.b="MvHfzNJy" Received: by mail-ed1-f41.google.com with SMTP id 4fb4d7f45d1cf-66b51bfe5f3so585054a12.2 for ; Fri, 27 Mar 2026 06:16:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774617416; cv=none; d=google.com; s=arc-20240605; b=iqBVCSrGk/jRfZ0DH0xobuIHkm4I9w0HPygGsBx7CiIN7pwRgBmWkXzLCMiGmxJiVG en5PgEQP3bI4N43xXWkesHYuqtSt5vVC/HPOwRMBn3n7P1kBdoxrZqAprni9OWOk9qtS bWL1WtTHath6uCLHcc2neu344JC0LCLDhFmATIuAoiPU06vZWQycADsZNDz574XZLKvK 9RjXOwLGLpdnoDSEuyf6tFKCT/mj7akwp/RIorcotquw+2fSH2BBRsGXE2l9SOqX+zW/ SqUbSWxARBnaCftI0698/KPeVZ/xtNs/f7MNbNJ/uwr6lFvHkXafEYqEU4ts4W6l23xk vHyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=53Tid1pF/DPyk0e2RXtur5yeh/pvYC68/Ct3diTtDjc=; fh=Wk54vm0+26890UhEy+OkfbmYvndBD4zIyzU65SmLn0Q=; b=Oj1Amy/N350Wu5hMbPfwh10XH/TRVw4m6nKhCVPjjWRwDmqX/VHl+rVjGypWsPZ5sR k0gQ5KrTIZznd8iXvpULCn/OayTQgTmVVAFHF7qapvEwWmNSGbOV+8GFHcbQpUCosT6K dikyai/UBwLgno2T1A6SROMAt+6LgcwnJGBhpkcJVSWScdu92uPaCyQLUa/EAry8J7XP ghiTfCAB67rXydKHI6s815GG34cbbSm0NjctgjBreQ6CqAQeJj8jZLW4qnXCKuBOIY4Z 8jU6GnlL+4AFLg2aMnR1RRw5nEQQrdbazPVYuGYUz2nmaCd7sHFfCGHUrV6qiKWF3DRr 2WuA==; darn=vger.kernel.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=soleen.com; s=google; t=1774617416; x=1775222216; darn=vger.kernel.org; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=53Tid1pF/DPyk0e2RXtur5yeh/pvYC68/Ct3diTtDjc=; b=MvHfzNJyUT8SVVxVUBCKr7ukBQvQitPLR/qk08tLOQwbsK5NnNuPpeqtj/318+DXSC t/lm60cC2ixzPs0YIfGetSZz/yWUeuYLq+LJcMSNk8awB1TPFBXLvHG02o7Pbz0b0kAI 76tyxMhgZJG4xSzA9AjDjXGD7sVrHmvido84Xr2WBbJV3/sVSQCi34hqW/q58eeefHZm KCZExRuVfRjujOpDOLoav/tc5KaAAC+7aSZXzRJs7C4J/n2rS3zRRP1ggfJHI5nypFve Yzx+j4rWv3140aZq8P0FvbxiIwper+2YAd1dRW3Ee42u+HG0sw4otNm+NMDSNNihovK/ AbxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774617416; x=1775222216; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=53Tid1pF/DPyk0e2RXtur5yeh/pvYC68/Ct3diTtDjc=; b=bGqN/RLYnIe2ImjDcpF0qSbGrXb7/E7/OPAVjhDS3Lw97aQ3EJ4lryv/3j0DsnTGZM 9vXtuCO60Px8pAKhGAH9zME+NOrvYhu41U6miv0pKsVBYtpqszXBkWeEV9DjMTp656IC YsrX0StaCuiA/ZHV9A2pkw78JiFZSG1XhU5jV/gjfNRGAopy9OtbxpoY03OYU0ymZ8PL yfvS10Glpl4dBOyYEyw+ERDnroU33QeS1WNTWt+fSV5LFqohfSg18Zf502AMq4Hr5SO5 S014DUXuaPz57+fL5b/U2tUnpIVVs/s7V1hTA+Wrexh22NCwBu9w1oAGq+PoKI3yYDpl 4orQ== X-Forwarded-Encrypted: i=1; AJvYcCXGx3V3/0L+QiB1U43J67ETZT4e7MuSnQJDPyGhiFivkrjEEoCge+L7teGXUNuwgT1ymI79x/acZYCCETw=@vger.kernel.org X-Gm-Message-State: AOJu0YyUoIsjPqAbpet6IlEK53pRYH/zlx7aD5t47AdTptFmc48FS9FU OwNlUbPh+vJKEaI1KMtp6cKL9zGvHmgmYpVlk4Z3JqphfIvLW96oBgyn1lNY6cXLmz+z8VHzS8A XZQuQLMsVzxJizRZJEcN6G814AWCt0E3+Sj6TKsYqrw== X-Gm-Gg: ATEYQzwfvNplTMxgRB0Powl8dkdV/r3N9xVKUYZhekgIGlp7Hzt7NQbJy8XANrICDdk ZedLH7lLZTiAiNvmVm5tbH8nMQixwedgD8APqzu2Eg7HJqCj/UIBrPVjPme4VX2WtUJkX2/+YXo 67VT05JmO4IkJ847THqeHKnVbejcIaSM/SA+kQ+QyGIt2K2C6Xx3NevLbb3dVcj29qi7HpN1ef9 Dn8JobGAB9ZndUMQ/jCMm4ifS2havXccc4mnw0Apc25Jludx07o16fy9AIEMjAzYnUMp9R7rI/9 d+sjhBqDRJm21tnWRXvzInDGCSEZolvafQvFEg== X-Received: by 2002:aa7:d391:0:b0:66b:3cb7:f63a with SMTP id 4fb4d7f45d1cf-66b3cb7fbe8mr817711a12.19.1774617416048; Fri, 27 Mar 2026 06:16:56 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20260327033335.696621-1-pasha.tatashin@soleen.com> <20260327033335.696621-2-pasha.tatashin@soleen.com> In-Reply-To: <20260327033335.696621-2-pasha.tatashin@soleen.com> From: Pasha Tatashin Date: Fri, 27 Mar 2026 09:16:19 -0400 X-Gm-Features: AQROBzAzTw5vrOfwLpddYaTbidyVZvBLrp2FunFo3w8jJEA4WmWslajSm4DGuBQ Message-ID: Subject: Re: [PATCH v3 01/10] liveupdate: Safely print untrusted strings To: rppt@kernel.org, akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, pasha.tatashin@soleen.com, dmatlack@google.com, pratyush@kernel.org, skhawaja@google.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Mar 26, 2026 at 11:33=E2=80=AFPM Pasha Tatashin wrote: > > Deserialized strings from KHO data (such as file handler compatible > strings and session names) are provided by the previous kernel and > might not be null-terminated if the data is corrupted or maliciously > crafted. > > When printing these strings in error messages, use the %.*s format > specifier with the maximum buffer size to prevent out-of-bounds reads > into adjacent kernel memory. > > Signed-off-by: Pasha Tatashin > --- > kernel/liveupdate/luo_file.c | 3 ++- > kernel/liveupdate/luo_session.c | 3 ++- > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/kernel/liveupdate/luo_file.c b/kernel/liveupdate/luo_file.c > index 5acee4174bf0..a6d98fc75d25 100644 > --- a/kernel/liveupdate/luo_file.c > +++ b/kernel/liveupdate/luo_file.c > @@ -785,7 +785,8 @@ int luo_file_deserialize(struct luo_file_set *file_se= t, > } > > if (!handler_found) { > - pr_warn("No registered handler for compatible '%s= '\n", > + pr_warn("No registered handler for compatible '%.= *s'\n", > + (int)sizeof(file_ser[i].compatible), > file_ser[i].compatible); > return -ENOENT; > } > diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_sess= ion.c > index 25ae704d7787..8c76dece679b 100644 > --- a/kernel/liveupdate/luo_session.c > +++ b/kernel/liveupdate/luo_session.c > @@ -544,7 +544,8 @@ int luo_session_deserialize(void) > > session =3D luo_session_alloc(sh->ser[i].name); > if (IS_ERR(session)) { > - pr_warn("Failed to allocate session [%s] during d= eserialization %pe\n", > + pr_warn("Failed to allocate session [%.*s] during= deserialization %pe\n", > + (int)sizeof(sh->ser[i].name), > sh->ser[i].name, session); > return PTR_ERR(session); > } Lol, Sashiko went a little overboard and gave this patch two "Critical" findings: 1. If a registered file handler uses a compatible string equal to or longer= than the buffer, and the untrusted string matches it without a null terminator, strcmp() could read past the bounds of file_ser[i].compatible. B.S.: The length of the string is ABI, and fh->compatible is a NULL-terminated string provided by the current kernel. In the future, we can replace strcmp() with strncmp(), but it is not a high-priority issue. 2. By returning PTR_ERR(session) directly without updating the static err variable, subsequent calls will see is_deserialized as true and return 0. This is regarding luo_session_deserialize(), that is the intended behavior. We attempt deserialization exactly once, and if it fails, some resources stay "leaked" and inaccessible to the user until the next reboot. This is the safest approach to avoid data leaks. > -- > 2.43.0 >