* [PATCH 1/2] lib/ts_bm: fix integer overflow in pattern length calculation
@ 2026-03-08 18:04 Josh Law
2026-03-08 18:04 ` [PATCH 2/2] lib/ts_kmp: " Josh Law
0 siblings, 1 reply; 2+ messages in thread
From: Josh Law @ 2026-03-08 18:04 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-kernel, Josh Law
The ts_bm algorithm computes the required allocation size by
multiplying the pattern length by the size of an integer. If the
pattern length is sufficiently large, this can overflow the 32-bit
unsigned int before it is widened to size_t. This could result in an
undersized allocation and a subsequent heap buffer overflow when
copying the pattern.
Fix this by explicitly checking that the length does not exceed
the maximum safe threshold before calculating the buffer sizes.
Signed-off-by: Josh Law <objecting@objecting.org>
---
lib/ts_bm.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/ts_bm.c b/lib/ts_bm.c
index eed5967238c5..01ea0a93cf6e 100644
--- a/lib/ts_bm.c
+++ b/lib/ts_bm.c
@@ -166,6 +166,9 @@ static struct ts_config *bm_init(const void *pattern, unsigned int len,
unsigned int prefix_tbl_len = len * sizeof(unsigned int);
size_t priv_size = sizeof(*bm) + len + prefix_tbl_len;
+ if (unlikely(len == 0 || len > (UINT_MAX - sizeof(*bm)) / (sizeof(unsigned int) + 1)))
+ return ERR_PTR(-EINVAL);
+
conf = alloc_ts_config(priv_size, gfp_mask);
if (IS_ERR(conf))
return conf;
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH 2/2] lib/ts_kmp: fix integer overflow in pattern length calculation
2026-03-08 18:04 [PATCH 1/2] lib/ts_bm: fix integer overflow in pattern length calculation Josh Law
@ 2026-03-08 18:04 ` Josh Law
0 siblings, 0 replies; 2+ messages in thread
From: Josh Law @ 2026-03-08 18:04 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-kernel, Josh Law
The ts_kmp algorithm computes the required allocation size by
multiplying the pattern length by the size of an integer. If the
pattern length is sufficiently large, this can overflow the 32-bit
unsigned int before it is widened to size_t. This could result in an
undersized allocation and a subsequent heap buffer overflow when
copying the pattern.
Fix this by explicitly checking that the length does not exceed
the maximum safe threshold before calculating the buffer sizes.
Signed-off-by: Josh Law <objecting@objecting.org>
---
lib/ts_kmp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/ts_kmp.c b/lib/ts_kmp.c
index 5520dc28255a..e07f5e80d076 100644
--- a/lib/ts_kmp.c
+++ b/lib/ts_kmp.c
@@ -97,6 +97,9 @@ static struct ts_config *kmp_init(const void *pattern, unsigned int len,
unsigned int prefix_tbl_len = len * sizeof(unsigned int);
size_t priv_size = sizeof(*kmp) + len + prefix_tbl_len;
+ if (unlikely(len == 0 || len > (UINT_MAX - sizeof(*kmp)) / (sizeof(unsigned int) + 1)))
+ return ERR_PTR(-EINVAL);
+
conf = alloc_ts_config(priv_size, gfp_mask);
if (IS_ERR(conf))
return conf;
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-03-08 18:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-08 18:04 [PATCH 1/2] lib/ts_bm: fix integer overflow in pattern length calculation Josh Law
2026-03-08 18:04 ` [PATCH 2/2] lib/ts_kmp: " Josh Law
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox