From nobody Thu Apr 2 22:23:31 2026 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5B8783EBF2C for ; Sat, 14 Feb 2026 01:00:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771030832; cv=none; b=cKmfz9PqaqBtW7f09+7XXGdZJf1OMuYz8VC/PShtom5Zc4JABgSpbRpx5/OXdrYI5Z0NFxqTD9goH/iLMq2o1lCqe4lz41Q8lY0fpgGllwZS1yWp0vip5tWH4qpJJp+s/f/t1KXVBs9k1TTR+/9FuTBaR9UBb7Wxw9B8/0KvJP4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771030832; c=relaxed/simple; bh=ju+yjbICmSw1l0hyronVU4YJcGIYzYMVRLaXkQbUt2E=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=pZYOEnZDJ9m1Wr4B4w8av9prsq/1d05d1ThDDd1pxkDxTg+gSHqQuE9cw+UkAVEx/o9ZDX5/waYOaNjpM9GOqWgIOlKHLPo1VzFWbHXgREjIk8uJbdPJBkTFt1AHsP9RJCaCD+YDGzBN5va7HhTfuhXYbX0nR37DI5YCeOnu5hA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--elver.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=CDQIJe23; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--elver.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="CDQIJe23" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-4837907ec88so6073205e9.0 for ; Fri, 13 Feb 2026 17:00:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1771030830; x=1771635630; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=N52x8JQ9Owt92Dd5wyBCJma3b4DEePYMVk8MRoPWKBM=; b=CDQIJe23c6VlDEt+uN4UpmkPH7aOP1tVLs75vypUzVYCHwRe2jx3TtzCrHgNwOOyR0 56vpYu1UolKltSD86KVXNUIE7JdqQQYpnzByn23YUaMz0qBMsVMe+sQN1fbpiQ0omB9K NdqMeTEC6Y6sLNTn2fPTtYgG2Jt+Gm1bqSWuLEZeKlGBfamtQdbVN4NO3bWqoJK8eVSa h4UtGL59Gp9rl6xtA0yCuW8prbbHWQJtIExn9u5xJXj7GTF1WMt+queLxxCrkMb4tXpO xtaYV0rPv81Y2FyoYk9UHycqacFdTQkz4cx0dwuJCFbMpm55CiNA+RkbyjyR7zVKmUjP z/3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771030830; x=1771635630; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=N52x8JQ9Owt92Dd5wyBCJma3b4DEePYMVk8MRoPWKBM=; b=tnSd4B9s8Tpkl+LDob4C24lG4aK2oM6eZIuJGpRavs5c1mwXyb9eMRlc7KkOcj9eHJ GPPzF8OkFSJVhazNvfIMf1BTI5mzHnTMebtT+qpu+4wgsFvh6EGQSV7yW6DlFPOW0eq+ CMuJesnyaEUUNmAv2GKE9H0tLY3kMQfTaw6UfyHhfRCpr+BjeAw3gA7Fo6FoaKkMGHi3 prDUl1ytkBSTVhWioRNOM1fZhxpQF/vMuWVTmO92Vxp4Q725dW+yxiDjgeIoEYsBm8k/ 7h5ZJEqo9W/Hu+XkLD5SSOlhB4kdxx1eM8Nb5gHVSM4VGw4vVrRqv9CTqZWJo3sK4qv4 1K6A== X-Forwarded-Encrypted: i=1; AJvYcCVGs4mAkZnGzdv27K511o8G+MYQFf6sNDVuFOkxAxOkJ2FGLPAxIUI8OhcAzeSkspjfHkJ6Hwa/3bnXdVo=@vger.kernel.org X-Gm-Message-State: AOJu0YxQ56EqOhqnZMNzbM2tTmdeJaJxwkPzvbOeWAoukX6ZM/E56mWy TxUuSWKTIRQ35WPNlJuKou+nHal1CeW5cAleiW5PBbFJbRrb6ncRRbhRIV2FsWm3rUgyyPPBacc Muw== X-Received: from wmby28.prod.google.com ([2002:a05:600c:c05c:b0:480:3227:a124]) (user=elver job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:1c1c:b0:477:7b16:5fb1 with SMTP id 5b1f17b1804b1-483739ff8damr66109275e9.7.1771030829456; Fri, 13 Feb 2026 17:00:29 -0800 (PST) Date: Sat, 14 Feb 2026 01:57:51 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.53.0.335.g19a08e0c02-goog Message-ID: <20260214010013.3027519-1-elver@google.com> Subject: [PATCH] kho: validate order in deserialize_bitmap() From: Marco Elver To: elver@google.com Cc: Alexander Graf , Mike Rapoport , Pasha Tatashin , Pratyush Yadav , kexec@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The function deserialize_bitmap() calculates the reservation size using: int sz =3D 1 << (order + PAGE_SHIFT); If a corrupted KHO image provides an order >=3D 20 (on systems with 4KB pages), the shift amount becomes >=3D 32, which overflows the 32-bit integer. This results in a zero-size memory reservation. Furthermore, the physical address calculation: phys_addr_t phys =3D elm->phys_start + (bit << (order + PAGE_SHIFT)); can also overflow and wrap around if the order is large. This allows a corrupt KHO image to cause out-of-bounds updates to page->private of arbitrary physical pages during early boot. Fix this by adding a bounds check for the order field. Fixes: fc33e4b44b27 ("kexec: enable KHO support for memory preservation") Signed-off-by: Marco Elver --- kernel/liveupdate/kexec_handover.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kernel/liveupdate/kexec_handover.c b/kernel/liveupdate/kexec_h= andover.c index b851b09a8e99..ec353e4b68a6 100644 --- a/kernel/liveupdate/kexec_handover.c +++ b/kernel/liveupdate/kexec_handover.c @@ -463,6 +463,11 @@ static void __init deserialize_bitmap(unsigned int ord= er, struct kho_mem_phys_bits *bitmap =3D KHOSER_LOAD_PTR(elm->bitmap); unsigned long bit; =20 + if (order > MAX_PAGE_ORDER) { + pr_warn("invalid order %u for preserved bitmap\n", order); + return; + } + for_each_set_bit(bit, bitmap->preserve, PRESERVE_BITS) { int sz =3D 1 << (order + PAGE_SHIFT); phys_addr_t phys =3D --=20 2.53.0.335.g19a08e0c02-goog