Re: [PATCH 1/2] x86/setup_data: validate indirect entry sizes before dereferencing them

Next message: Joe Lawrence: "Re: [RFC PATCH 3/4] livepatch: Add &quot;replaceable&quot; attribute to klp_patch"
Previous message: Joel Fernandes: "Re: [PATCH v10 03/21] gpu: nova-core: gsp: Expose total physical VRAM end from FB region info"
In reply to: Borislav Petkov: "Re: [PATCH 1/2] x86/setup_data: validate indirect entry sizes before dereferencing them"
Next in thread: Pengpeng Hou: "Re: [PATCH 1/2] x86/setup_data: validate indirect entry sizes before dereferencing them"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: H. Peter Anvin

Date: Mon Apr 06 2026 - 17:11:39 EST

On April 5, 2026 4:06:52 AM PDT, Borislav Petkov <bp@xxxxxxxxx> wrote:
>On Sun, Apr 05, 2026 at 09:40:00AM +0800, Pengpeng Hou wrote:
>> I think that is worth handling because `setup_data` is still external boot
>> input to the kernel. It can come not only from a normal bootloader path, but
>> also from kexec-style handoff and virtualized boot flows.
>
>I'm asking you to explain the attack vector in detail. In which of those
>examples don't you need physical access to the machine and root?
>
>IOW, what scenario exactly are we protecting here against?
>

Sounds like he is more concerned about data corruption than malicious data. At least one possible cause could be a DMA device that has not been properly shut down before kdump – that's a known problem with no good solution and thus is probabilistic.

What is the likelihood that these sanity checks would catch that specific kind of corruption and still be able to produce a meaningful dump? Probably infinitesimal.