Re: [PATCH v3 01/10] liveupdate: Safely print untrusted strings

Next message: Li Wang: "Re: [PATCH 1/4] selftests/mm: respect build verbosity settings for 32/64-bit targets"
Previous message: Lee Jones: "Re: [PATCH] leds: pca9532: don't stop blinking for non-zero brightness"
In reply to: Pratyush Yadav: "Re: [PATCH v3 01/10] liveupdate: Safely print untrusted strings"
Next in thread: Pasha Tatashin: "Re: [PATCH v3 01/10] liveupdate: Safely print untrusted strings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pratyush Yadav

Date: Tue Mar 31 2026 - 05:52:48 EST

On Fri, Mar 27 2026, Pasha Tatashin wrote:

> Deserialized strings from KHO data (such as file handler compatible
> strings and session names) are provided by the previous kernel and
> might not be null-terminated if the data is corrupted or maliciously
> crafted.

Nit: KHO has absolutely no way to defend against maliciously crafted
data. If the previous kernel is malicious, why would it try to play
around with session strings when it can directly manipulate the
serialization data structures and the memory they point to? There would
be no way to detect or defend against those. I don't think KHO should
even try to defend against malicious data. It should only care about
corrupted data and bugs in the previous kernel.

The only real way to safeguard against malicious kernels is to have some
sort of chain of trust mechanism like kernel signing. That is of course
out of scope for KHO.

So please, if you do a v4, drop the "or maliciously crafted".

The patch itself LGTM.

Reviewed-by: Pratyush Yadav (Google) <pratyush@xxxxxxxxxx>

>
> When printing these strings in error messages, use the %.*s format
> specifier with the maximum buffer size to prevent out-of-bounds reads
> into adjacent kernel memory.
>
> Signed-off-by: Pasha Tatashin <pasha.tatashin@xxxxxxxxxx>
[...]

--
Regards,
Pratyush Yadav