From: Josh Law <hlcj1234567@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, Josh Law <objecting@objecting.org>
Subject: [PATCH v3 2/2] lib/ts_kmp: fix integer overflow in pattern length calculation
Date: Sun, 8 Mar 2026 20:17:53 +0000 [thread overview]
Message-ID: <20260308201753.2889216-2-objecting@objecting.org> (raw)
In-Reply-To: <20260308201753.2889216-1-objecting@objecting.org>
From: Josh Law <objecting@objecting.org>
Changes in v3:
- mirror the ts_bm review fixes for consistency across the series
- move overflow checks before the arithmetic they guard
- add comments and use overflow.h helpers for the allocation math
The ts_kmp algorithm stores its prefix_tbl[] table and pattern in a
single allocation sized from the pattern length. If the prefix_tbl[]
size calculation wraps, the resulting allocation can be too small and
subsequent pattern copies can overflow it.
Fix this by rejecting zero-length patterns and by using overflow
helpers before calculating the combined allocation size.
Signed-off-by: Josh Law <objecting@objecting.org>
---
lib/ts_kmp.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/lib/ts_kmp.c b/lib/ts_kmp.c
index 5520dc28255a..29466c1803c9 100644
--- a/lib/ts_kmp.c
+++ b/lib/ts_kmp.c
@@ -94,8 +94,22 @@ static struct ts_config *kmp_init(const void *pattern, unsigned int len,
struct ts_config *conf;
struct ts_kmp *kmp;
int i;
- unsigned int prefix_tbl_len = len * sizeof(unsigned int);
- size_t priv_size = sizeof(*kmp) + len + prefix_tbl_len;
+ unsigned int prefix_tbl_len;
+ size_t priv_size;
+
+ /* Zero-length patterns would make kmp_find() read beyond kmp->pattern. */
+ if (unlikely(!len))
+ return ERR_PTR(-EINVAL);
+
+ /*
+ * kmp->pattern is stored immediately after the prefix_tbl[] table.
+ * Reject lengths that would wrap while sizing either region.
+ */
+ if (unlikely(check_mul_overflow(len, sizeof(*kmp->prefix_tbl),
+ &prefix_tbl_len) ||
+ check_add_overflow(sizeof(*kmp), (size_t)len, &priv_size) ||
+ check_add_overflow(priv_size, prefix_tbl_len, &priv_size)))
+ return ERR_PTR(-EINVAL);
conf = alloc_ts_config(priv_size, gfp_mask);
if (IS_ERR(conf))
--
2.43.0
next prev parent reply other threads:[~2026-03-08 20:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-08 18:10 [PATCH v2 1/2] lib/ts_bm: fix integer overflow in pattern length calculation Josh Law
2026-03-08 18:10 ` [PATCH v2 2/2] lib/ts_kmp: " Josh Law
2026-03-08 19:55 ` [PATCH v2 1/2] lib/ts_bm: " Andrew Morton
2026-03-08 20:06 ` Josh Law
2026-03-08 20:15 ` Josh Law
2026-03-08 20:17 ` [PATCH v3 " Josh Law
2026-03-08 20:17 ` Josh Law [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-03-08 20:20 Josh Law
2026-03-08 20:20 ` [PATCH v3 2/2] lib/ts_kmp: " Josh Law
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260308201753.2889216-2-objecting@objecting.org \
--to=hlcj1234567@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=objecting@objecting.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.