From nobody Sun Feb 8 05:42:05 2026 Received: from sender4-pp-f112.zoho.com (sender4-pp-f112.zoho.com [136.143.188.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F24CF25D216 for ; Fri, 30 Jan 2026 08:46:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=136.143.188.112 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769762791; cv=pass; b=DQ48DwM4MQbaCfITo4cRwUpYIKor46RnJSN9zA/val2C4NeRB42oKmblUcyznzSPVuU8HTqquOYOskHtlYNKweeYD52RcF83gRt79+L+8l4m+c+zN8UsfeTw4ltsezxGQ5PsJZFnrRmAZyEibvJcjIbL/ieRrlHslx1v0iZ9Z8Y= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769762791; c=relaxed/simple; bh=I5ONmMtaSbGgIAAiIp7Xd0zANX0kuN/j5S/0q2omV6c=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=WdAzyGB3EqTRgUgYaLmDrIBou12c6bIVqzspJGBv5a4NMJBrB7tfa+DxdgXfBO0IzRTvT8j5IDdasmoR3YMidBCiwqVZPaKfdihq6bUmAbbhUX+7w9rFzHbYG4m/B029G2181S5AzKMp2yAHgH+ndFtsghJoAzc+WRoVTyDqGcc= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=linux.beauty; spf=pass smtp.mailfrom=linux.beauty; dkim=pass (1024-bit key) header.d=linux.beauty header.i=me@linux.beauty header.b=tCJeZ/qC; arc=pass smtp.client-ip=136.143.188.112 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=linux.beauty Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.beauty Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.beauty header.i=me@linux.beauty header.b="tCJeZ/qC" ARC-Seal: i=1; a=rsa-sha256; t=1769762784; cv=none; d=zohomail.com; s=zohoarc; b=ewcq96ZlZ1BIJiUOp4XwYoRh+kmyhQ77ncmnoPX9VOhV/IiLhEtP4DuVjCqlzRfuWE2HJ16vkCvGY2PTmvUbcq55dVnlF1ySVuoydmS8qWD7zUAdoKLxyuwhb2vnIZTCbNIx0L/0Mj39X6daw1Y3keSjWOdJ5W4G+cN3aNrdiBM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1769762784; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To; bh=II5XXn5zqspOZMC+8wHGjhSgIOIeEgXzk5joeL/SaTo=; b=aHziaAhcrX1X+LRHCftj2qp+MH7PNudZnVPc07SRggaXre/mjR9G7hjjq/SFxoWvXe23FZ0iizJtkhBC3qD62+iGuL/TFv7ekxD3BiJY59xQdpV5Es8y115UmPXHQRX2NXqbgR0jRTIjzDFmgOgGHDlzmccMsUs/X/8fIVPjhw0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=linux.beauty; spf=pass smtp.mailfrom=me@linux.beauty; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1769762784; s=zmail; d=linux.beauty; i=me@linux.beauty; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Transfer-Encoding:Message-Id:Reply-To; bh=II5XXn5zqspOZMC+8wHGjhSgIOIeEgXzk5joeL/SaTo=; b=tCJeZ/qCj1frX4K04nSe/wPjp8uVJxjB88AeeQLtWfDiPzqth8y+FO+fG1Yejqsr rG1SbT8o1cIJMSYgIczDtbBuTq0WTa4uuBkhPH12ybL+bWmatEu5uiMjq+Yj2Ch2bEA oD6rYySZl9HJFTHwurlGIjSfnpyySHFHj9gjqrLk= Received: by mx.zohomail.com with SMTPS id 1769762781813799.257417844647; Fri, 30 Jan 2026 00:46:21 -0800 (PST) From: Li Chen To: Pasha Tatashin , Mike Rapoport , Pratyush Yadav , linux-kernel@vger.kernel.org Cc: Li Chen Subject: [PATCH v1] liveupdate: sanitize incoming session count Date: Fri, 30 Jan 2026 16:46:15 +0800 Message-ID: <20260130084615.357435-1-me@linux.beauty> X-Mailer: git-send-email 2.52.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External Content-Type: text/plain; charset="utf-8" luo_session_deserialize() iterates incoming sessions using luo_session_header_ser::count. The header physical address is provided by the previous kernel via the KHO FDT node. If the header is corrupted, count may become arbitrarily large and the new kernel can read past the preserved session array (sh->ser[i]). This is an OOB read that can crash or hang early boot. This can happen if the FDT node is corrupted or mis-parsed and points to a wrong header address, if stale/incompatible handover data is interpreted with the wrong layout, or if the preserved region is scribbled by memory corruption or DMA after kexec. Clamp the incoming count to LUO_SESSION_MAX before iterating. Signed-off-by: Li Chen --- kernel/liveupdate/luo_session.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_sessio= n.c index dbdbc3bd7929..9d6c3ad990d9 100644 --- a/kernel/liveupdate/luo_session.c +++ b/kernel/liveupdate/luo_session.c @@ -515,6 +515,7 @@ int luo_session_deserialize(void) struct luo_session_header *sh =3D &luo_session_global.incoming; static bool is_deserialized; static int err; + u64 count; =20 /* If has been deserialized, always return the same error code */ if (is_deserialized) @@ -524,6 +525,13 @@ int luo_session_deserialize(void) if (!sh->active) return 0; =20 + count =3D sh->header_ser->count; + if (count > LUO_SESSION_MAX) { + pr_warn("incoming session count %llu exceeds max %lu\n", + count, LUO_SESSION_MAX); + count =3D LUO_SESSION_MAX; + } + /* * Note on error handling: * @@ -539,7 +547,7 @@ int luo_session_deserialize(void) * userspace to detect the failure and trigger a reboot, which will * reliably reset devices and reclaim memory. */ - for (int i =3D 0; i < sh->header_ser->count; i++) { + for (u64 i =3D 0; i < count; i++) { struct luo_session *session; =20 session =3D luo_session_alloc(sh->ser[i].name); --=20 2.52.0