Re: [PATCH v3 01/10] liveupdate: Safely print untrusted strings

[Pasha Tatashin]

On Tue, Mar 31, 2026 at 5:50 AM Pratyush Yadav <pratyush@xxxxxxxxxx> wrote:
>
> On Fri, Mar 27 2026, Pasha Tatashin wrote:
>
> > Deserialized strings from KHO data (such as file handler compatible
> > strings and session names) are provided by the previous kernel and
> > might not be null-terminated if the data is corrupted or maliciously
> > crafted.
>
> Nit: KHO has absolutely no way to defend against maliciously crafted
> data. If the previous kernel is malicious, why would it try to play
> around with session strings when it can directly manipulate the
> serialization data structures and the memory they point to? There would
> be no way to detect or defend against those. I don't think KHO should
> even try to defend against malicious data. It should only care about
> corrupted data and bugs in the previous kernel.
>
> The only real way to safeguard against malicious kernels is to have some
> sort of chain of trust mechanism like kernel signing. That is of course
> out of scope for KHO.
>
> So please, if you do a v4, drop the "or maliciously crafted".

Makes sense, will do it if there is another version.

>
> The patch itself LGTM.
>
> Reviewed-by: Pratyush Yadav (Google) <pratyush@xxxxxxxxxx>

Thanks.

Pasha

>
> >
> > When printing these strings in error messages, use the %.*s format
> > specifier with the maximum buffer size to prevent out-of-bounds reads
> > into adjacent kernel memory.
> >
> > Signed-off-by: Pasha Tatashin <pasha.tatashin@xxxxxxxxxx>
> [...]
>
> --
> Regards,
> Pratyush Yadav