From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qk1-f171.google.com (mail-qk1-f171.google.com [209.85.222.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2EE8B33D4FF for ; Sun, 8 Mar 2026 18:04:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.171 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772993098; cv=none; b=BZ8ipqMa3SnlkqhD7R5M0ty+Wgjxxrv+dxnnl8oaEwC95tSH1vCHWRhVfvfER7uAJRYaCRDf02NIMUBh+xkFgtWjiW5Fc6CWkLRbwqMz04SUktXriligSsNKitTVNqW1nGkdrN9S12f7MoD/rwYkeWZmkEPIoo3rku7ya66SgQA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772993098; c=relaxed/simple; bh=/Ttm/mCQ5+sA/GA9zb+oOuL2wzEQG+1YP+T5tapgaFw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qVK1lOFbFKivtW1Zp2D6a88qjR6ZOYFyS3isLBOBlFBacjw75lkOi/Uwcr8fKCtPBb77Xo2QImgBUAbX1/7wle+Mr5v4QV2//n1iz5c2WpbdpzOvYfQzf9Q+KK+alAry0WcCAGdqy2x3qnbKkgsU4xvN5+41yrxvoh/5r2OLC1I= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Uupn26Pm; arc=none smtp.client-ip=209.85.222.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Uupn26Pm" Received: by mail-qk1-f171.google.com with SMTP id af79cd13be357-8cd80f56b27so68916885a.1 for ; Sun, 08 Mar 2026 11:04:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772993096; x=1773597896; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=QHY620X4lBlDrg3QXYGelzrlT4qpOSdeKP3wmK9zqUw=; b=Uupn26PmHMSdTYqk7jak5He4Ruk/egEeXKLy+rA8eQ03vyiPfDjW2eBp6b1SxvyvCa b9TMia/d3wjxWoB4LLRt5dfMidTqAnAO9c+wVBF6Wr2U/e5CoMRKj3ySrUnPGx8Im3EL Au8PWiEKgtAEfTPEhI8fWR+VnQ15QOsO37FJn/VLICjvAihKiPSPY2Qs1f6CQ5PZI14Q gz0xXY3V8Xcw/BF81zWu/iq7jz+YIY5iUQ1IJ8MkTJNU0xBlyBwq5ES53Dl+T6jn09CZ P09mipPJIDgOXS+vmHQCEOKCCfI+3gd+u5TyLRe2HiVcoFFIkGnBPKxu9lL5cSzAR8aH SAKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772993096; x=1773597896; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=QHY620X4lBlDrg3QXYGelzrlT4qpOSdeKP3wmK9zqUw=; b=WSMaXLDYsyEikD+3KECwiBpEgpBT94KW6vdN2QBAcYorHC0HGSaH2sca8LeF9yBwE0 5uEcmfC2HusklJx9MIaUFcLWsK9a5inZ5u16tGEdFO6V8ObIusMlESk+SiYXTBR/+q8Z rQnO2KSq8ckmlIZ5pb2lAe6Hh6hS0wob2QTbsSkAIC7wARion1AwyjrRf8fbJO+LSEkf T948DxJRIKzuLbusHaP0oRPpEOEScE8lqGRSLUA1hrXPYtiAhjZfXFOunmNId8elDrIU GmKYuv9RLnabdSO4+waw9X1Fh8yZ6MZ7VCDmp+V1jnomhhPV73X9krM639UQKQxavDxC tzfA== X-Gm-Message-State: AOJu0YyVE0C3Zi6R7vF5RvLvNVS2OxSFcuOLVoWsEBh1R1Ql7E0GlWU4 2czXNyuEE41XXIlGKygnZvmqnVmsoMqlz8HKWzfPdMtFjo66gbz4Bie0 X-Gm-Gg: ATEYQzxFYtgRiBF11p7bFtOEhPKtfjNuGmSj2zv0nOfEB0CC5ECyn18lYHTx2u3F0bR 4wdEOvnf2r/7fJh3nrplFFjwGyHOSeKIzJflrIW1DEOR90pG68UyXeEAc6T8QGTwa4yaGzjvN/N VxNTzYkNUBqhsCR7ZcKaScyZVa9hEQZJjzPY75GRMvo6V34IDGrOE4VftS96KYTCwxNcc9LbhcK rih1lN5Yp3JIy4dGE71mhu/cnbHxxyNHhohNEpsFoTOudUPsg5rmjkQpcKkp6mJKkSKoDncxkaF 61EkRU4z7JuZ1GwBdVXQY7hyPnld4vmxY4HGGCjWgQEs4PaMZNIG7Q+9uDS1y+Nmv2wRkXoDK/3 7V11Iz2XAFJ8A3HswXb84INjkz4Wx7ZTmpiFee8VRKav9qc6mP8Kx6Rn0mauV+4npLyf9CuovMa S1GfuECusx0+C+Z5j+3pD/CK3c1PvRuTMczG/PpGTwKwIFNBskCHXqY+EBa9xZ40FYNHYT7XE9Q f7K X-Received: by 2002:a05:620a:4054:b0:8c6:a5aa:465c with SMTP id af79cd13be357-8cd6d4fe4camr1130609685a.55.1772993095949; Sun, 08 Mar 2026 11:04:55 -0700 (PDT) Received: from instance-20260207-1316.vcn12250046.oraclevcn.com ([150.136.248.187]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8cd8c2d7e69sm4164785a.14.2026.03.08.11.04.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 Mar 2026 11:04:54 -0700 (PDT) From: Josh Law X-Google-Original-From: Josh Law To: Andrew Morton Cc: linux-kernel@vger.kernel.org, Josh Law Subject: [PATCH 2/2] lib/ts_kmp: fix integer overflow in pattern length calculation Date: Sun, 8 Mar 2026 18:04:53 +0000 Message-ID: <20260308180453.2883890-2-objecting@objecting.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260308180453.2883890-1-objecting@objecting.org> References: <20260308180453.2883890-1-objecting@objecting.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The ts_kmp algorithm computes the required allocation size by multiplying the pattern length by the size of an integer. If the pattern length is sufficiently large, this can overflow the 32-bit unsigned int before it is widened to size_t. This could result in an undersized allocation and a subsequent heap buffer overflow when copying the pattern. Fix this by explicitly checking that the length does not exceed the maximum safe threshold before calculating the buffer sizes. Signed-off-by: Josh Law --- lib/ts_kmp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/ts_kmp.c b/lib/ts_kmp.c index 5520dc28255a..e07f5e80d076 100644 --- a/lib/ts_kmp.c +++ b/lib/ts_kmp.c @@ -97,6 +97,9 @@ static struct ts_config *kmp_init(const void *pattern, unsigned int len, unsigned int prefix_tbl_len = len * sizeof(unsigned int); size_t priv_size = sizeof(*kmp) + len + prefix_tbl_len; + if (unlikely(len == 0 || len > (UINT_MAX - sizeof(*kmp)) / (sizeof(unsigned int) + 1))) + return ERR_PTR(-EINVAL); + conf = alloc_ts_config(priv_size, gfp_mask); if (IS_ERR(conf)) return conf; -- 2.43.0