From: Pasha Tatashin <pasha.tatashin@soleen.com>
To: Pratyush Yadav <pratyush@kernel.org>
Cc: rppt@kernel.org, akpm@linux-foundation.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, dmatlack@google.com,
skhawaja@google.com
Subject: Re: [PATCH v3 01/10] liveupdate: Safely print untrusted strings
Date: Tue, 31 Mar 2026 12:35:49 -0400 [thread overview]
Message-ID: <CA+CK2bCnn-0WNU34LFte5+37jMOLELB1dXHkX6shO-3t3F3gUw@mail.gmail.com> (raw)
In-Reply-To: <2vxzikaciays.fsf@kernel.org>
On Tue, Mar 31, 2026 at 5:50 AM Pratyush Yadav <pratyush@kernel.org> wrote:
>
> On Fri, Mar 27 2026, Pasha Tatashin wrote:
>
> > Deserialized strings from KHO data (such as file handler compatible
> > strings and session names) are provided by the previous kernel and
> > might not be null-terminated if the data is corrupted or maliciously
> > crafted.
>
> Nit: KHO has absolutely no way to defend against maliciously crafted
> data. If the previous kernel is malicious, why would it try to play
> around with session strings when it can directly manipulate the
> serialization data structures and the memory they point to? There would
> be no way to detect or defend against those. I don't think KHO should
> even try to defend against malicious data. It should only care about
> corrupted data and bugs in the previous kernel.
>
> The only real way to safeguard against malicious kernels is to have some
> sort of chain of trust mechanism like kernel signing. That is of course
> out of scope for KHO.
>
> So please, if you do a v4, drop the "or maliciously crafted".
Makes sense, will do it if there is another version.
>
> The patch itself LGTM.
>
> Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Thanks.
Pasha
>
> >
> > When printing these strings in error messages, use the %.*s format
> > specifier with the maximum buffer size to prevent out-of-bounds reads
> > into adjacent kernel memory.
> >
> > Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
> [...]
>
> --
> Regards,
> Pratyush Yadav
next prev parent reply other threads:[~2026-03-31 16:36 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-27 3:33 [PATCH v3 00/10] liveupdate: Fix module unloading and unregister API Pasha Tatashin
2026-03-27 3:33 ` [PATCH v3 01/10] liveupdate: Safely print untrusted strings Pasha Tatashin
2026-03-27 13:16 ` Pasha Tatashin
2026-03-31 9:40 ` Pratyush Yadav
2026-03-31 9:50 ` Pratyush Yadav
2026-03-31 16:35 ` Pasha Tatashin [this message]
2026-03-27 3:33 ` [PATCH v3 02/10] liveupdate: Synchronize lazy initialization of FLB private state Pasha Tatashin
2026-03-31 10:38 ` Pratyush Yadav
2026-03-31 16:41 ` Pasha Tatashin
2026-03-31 19:22 ` Pratyush Yadav
2026-03-31 19:38 ` Pasha Tatashin
2026-03-27 3:33 ` [PATCH v3 03/10] liveupdate: Protect file handler list with rwsem Pasha Tatashin
2026-03-30 16:48 ` Samiullah Khawaja
2026-03-30 19:32 ` Pasha Tatashin
2026-03-31 19:24 ` Pratyush Yadav
2026-03-27 3:33 ` [PATCH v3 04/10] liveupdate: Protect FLB lists with luo_register_rwlock Pasha Tatashin
2026-03-31 19:33 ` Pratyush Yadav
2026-03-27 3:33 ` [PATCH v3 05/10] liveupdate: Defer FLB module refcounting to active sessions Pasha Tatashin
2026-03-30 16:56 ` Samiullah Khawaja
2026-03-30 19:28 ` Pasha Tatashin
2026-04-02 16:21 ` Pratyush Yadav
2026-03-27 3:33 ` [PATCH v3 06/10] liveupdate: Remove luo_session_quiesce() Pasha Tatashin
2026-04-02 16:27 ` Pratyush Yadav
2026-03-27 3:33 ` [PATCH v3 07/10] liveupdate: Auto unregister FLBs on file handler unregistration Pasha Tatashin
2026-04-03 10:17 ` Pratyush Yadav
2026-03-27 3:33 ` [PATCH v3 08/10] liveupdate: Remove liveupdate_test_unregister() Pasha Tatashin
2026-04-03 10:20 ` Pratyush Yadav
2026-03-27 3:33 ` [PATCH v3 09/10] liveupdate: Make unregister functions return void Pasha Tatashin
2026-03-27 14:41 ` Pasha Tatashin
2026-04-03 10:41 ` Pratyush Yadav
2026-03-27 3:33 ` [PATCH v3 10/10] liveupdate: Defer file handler module refcounting to active sessions Pasha Tatashin
2026-03-27 17:14 ` Andrew Morton
2026-04-03 10:42 ` Pratyush Yadav
2026-03-27 17:24 ` [PATCH v3 00/10] liveupdate: Fix module unloading and unregister API Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+CK2bCnn-0WNU34LFte5+37jMOLELB1dXHkX6shO-3t3F3gUw@mail.gmail.com \
--to=pasha.tatashin@soleen.com \
--cc=akpm@linux-foundation.org \
--cc=dmatlack@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pratyush@kernel.org \
--cc=rppt@kernel.org \
--cc=skhawaja@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox