[PATCH] kho: validate order in deserialize_bitmap()
1 view
Skip to first unread message
Marco Elver
Feb 13, 2026, 8:00:33 PMFeb 13
to el...@google.com, Alexander Graf, Mike Rapoport, Pasha Tatashin, Pratyush Yadav, ke...@lists.infradead.org, linu...@kvack.org, linux-...@vger.kernel.org, kasa...@googlegroups.com
The function deserialize_bitmap() calculates the reservation size using:
int sz = 1 << (order + PAGE_SHIFT);
If a corrupted KHO image provides an order >= 20 (on systems with 4KB
pages), the shift amount becomes >= 32, which overflows the 32-bit
integer. This results in a zero-size memory reservation.
Furthermore, the physical address calculation:
phys_addr_t phys = elm->phys_start + (bit << (order + PAGE_SHIFT));
can also overflow and wrap around if the order is large. This allows a
corrupt KHO image to cause out-of-bounds updates to page->private of
arbitrary physical pages during early boot.
Fix this by adding a bounds check for the order field.
Fixes: fc33e4b44b27 ("kexec: enable KHO support for memory preservation")
Signed-off-by: Marco Elver <el...@google.com>
---
kernel/liveupdate/kexec_handover.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/liveupdate/kexec_handover.c b/kernel/liveupdate/kexec_handover.c
index b851b09a8e99..ec353e4b68a6 100644
--- a/kernel/liveupdate/kexec_handover.c
+++ b/kernel/liveupdate/kexec_handover.c
@@ -463,6 +463,11 @@ static void __init deserialize_bitmap(unsigned int order,
struct kho_mem_phys_bits *bitmap = KHOSER_LOAD_PTR(elm->bitmap);
unsigned long bit;
+ if (order > MAX_PAGE_ORDER) {
+ pr_warn("invalid order %u for preserved bitmap\n", order);
+ return;
+ }
+
for_each_set_bit(bit, bitmap->preserve, PRESERVE_BITS) {
int sz = 1 << (order + PAGE_SHIFT);
phys_addr_t phys =
--
2.53.0.335.g19a08e0c02-goog
int sz = 1 << (order + PAGE_SHIFT);
If a corrupted KHO image provides an order >= 20 (on systems with 4KB
pages), the shift amount becomes >= 32, which overflows the 32-bit
integer. This results in a zero-size memory reservation.
Furthermore, the physical address calculation:
phys_addr_t phys = elm->phys_start + (bit << (order + PAGE_SHIFT));
can also overflow and wrap around if the order is large. This allows a
corrupt KHO image to cause out-of-bounds updates to page->private of
arbitrary physical pages during early boot.
Fix this by adding a bounds check for the order field.
Fixes: fc33e4b44b27 ("kexec: enable KHO support for memory preservation")
Signed-off-by: Marco Elver <el...@google.com>
---
kernel/liveupdate/kexec_handover.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/liveupdate/kexec_handover.c b/kernel/liveupdate/kexec_handover.c
index b851b09a8e99..ec353e4b68a6 100644
--- a/kernel/liveupdate/kexec_handover.c
+++ b/kernel/liveupdate/kexec_handover.c
@@ -463,6 +463,11 @@ static void __init deserialize_bitmap(unsigned int order,
struct kho_mem_phys_bits *bitmap = KHOSER_LOAD_PTR(elm->bitmap);
unsigned long bit;
+ if (order > MAX_PAGE_ORDER) {
+ pr_warn("invalid order %u for preserved bitmap\n", order);
+ return;
+ }
+
for_each_set_bit(bit, bitmap->preserve, PRESERVE_BITS) {
int sz = 1 << (order + PAGE_SHIFT);
phys_addr_t phys =
--
2.53.0.335.g19a08e0c02-goog
Mike Rapoport
Feb 15, 2026, 1:47:31 AM (13 days ago) Feb 15
to Marco Elver, Alexander Graf, Pasha Tatashin, Pratyush Yadav, ke...@lists.infradead.org, linu...@kvack.org, linux-...@vger.kernel.org, kasa...@googlegroups.com
Hi Marco,
Preserved order can be larger than MAX_PAGE_ORDER.
Let's make 'sz' unsigned long and add checks that calculations won't
overflow.
> + pr_warn("invalid order %u for preserved bitmap\n", order);
> + return;
> + }
> +
> for_each_set_bit(bit, bitmap->preserve, PRESERVE_BITS) {
> int sz = 1 << (order + PAGE_SHIFT);
> phys_addr_t phys =
> --
> 2.53.0.335.g19a08e0c02-goog
--
Sincerely yours,
Mike.
Let's make 'sz' unsigned long and add checks that calculations won't
overflow.
> + pr_warn("invalid order %u for preserved bitmap\n", order);
> + return;
> + }
> +
> for_each_set_bit(bit, bitmap->preserve, PRESERVE_BITS) {
> int sz = 1 << (order + PAGE_SHIFT);
> phys_addr_t phys =
> --
> 2.53.0.335.g19a08e0c02-goog
Sincerely yours,
Mike.
Reply all
Reply to author
Forward
0 new messages