From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A15C33128B8
	for <linux-kernel@vger.kernel.org>; Mon, 20 Apr 2026 11:49:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776685758; cv=none; b=F3jF+Sn3oqLNQNQDgAdmppmMeGvdRu/sOJXrxLfc74tqSmObs2/YyJupuAQcl+9nDzm8V89lQheOYgrrV9tKWGurcPYZTtWAhgCs2IaWYsbXXojjhHKr8abYBIehnlvXL/CPo4CIMGYAbhNvCzUd8ga2IFGe6GWH7T01m9CTDOI=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776685758; c=relaxed/simple;
	bh=FYq3u2vFTIsG4AktCWpYdLj1p5HGz7GybA4JVBaBe8g=;
	h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=Mev95dgpB+ViCAtKIIKw6GKomg/U377ICcQtWL3w0DM9UQl8f04ZY5vpAxVwTE7YA0a1HoTqtr56UUQ5XOcA612PKc5pn4RkH9EpetkM+C8Ok11By6oApMJryFRSgnr++K35iCvMz0tP9ERJ15PRb9m0YTpYEoU7zLVLw0MOkjU=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--elver.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=I4bAmo7H; arc=none smtp.client-ip=209.85.128.73
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--elver.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="I4bAmo7H"
Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-488d1b5bca0so15301325e9.2
        for <linux-kernel@vger.kernel.org>; Mon, 20 Apr 2026 04:49:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1776685755; x=1777290555; darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=5qBi9ldbtbrcpWyzJP2C0tv/H5iabsIC81OiRN0uJ2k=;
        b=I4bAmo7HjVMLSr31PHw0wpI9Q56qW7VFFRDZLINtP6VuZZpfArVSUOZeosM6PawckH
         mIf5CrW3UJZXH7L6BwuT0qfGOJCcGt2aOjwjDth2gqN56ECTCvd4GI9CJJHU67NmE0Ph
         ghqIPrzr/+VD9r0VicIkA8OnU5CIHeooQCs0giotz5X8h/BfiXQzV3bUlTO5ZynX9mDv
         PRsoSjp9s6DhsbZPK7yqhWZ+sL7eRv7LHvTUZ30K3PDKItKizB7KV9brerPhMnDyvPzP
         EP9PRZvHf/3HI1M9vfdHwT+PUqg77B/Gmvr9YGeZ/B3kZLuYukB5tU1FBAZ48XMgwrBr
         wTEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776685755; x=1777290555;
        h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=5qBi9ldbtbrcpWyzJP2C0tv/H5iabsIC81OiRN0uJ2k=;
        b=me/pZKu4Krn31p+g8CfTkX16PqcRGER2Qq9ImdiT9npntIuSwVQOAQzCWtZn7enT6F
         KJ/pRuNIoFed86jwZACQJD/BSxIhGT6cGbt0UWm1fpw2y7Wrqe36+QQF0FGR1ODZNLZW
         6JOQX9PWRQhIYfTvLvKVjtBZQiWQ5LexyX6ONHhZukS8GcVZNpK9pWIxe1JltTHGvvR7
         ONcEdztIzs2HvszLjh914ccC6aPNARSWBHZ+7qaFAUQ2KHNnhzTkakti/STMBipvHqxn
         Ua5iOhZzT357xK1MUXc0Q2Tz0gkfZrSvEv+RZ/c5fiHKqDGRK3MZJ12DvcJpw6czXibU
         lelQ==
X-Forwarded-Encrypted: i=1; AFNElJ9ZFnomFZaxerU/dyLfJs2T4/xGaAruQtYUXwg1iLdO09Lf2i2uXIJt4ZH1U6fZjWsw3rXw/yFQwWuhqwI=@vger.kernel.org
X-Gm-Message-State: AOJu0YwUn2ARgXUKyHdO4ArHJ3T8ms/a6RGUUpdKxJq+NHCzrvUMuo8+
	2YAj0R0xCjM/Qwbf+TUsHGOmvn5FjvIZeDEiMiAApa2YLz8osXKlzNYo873RnvZbTHwIZiDkEhs
	NkA==
X-Received: from wmpv10.prod.google.com ([2002:a05:600c:4d8a:b0:486:fe68:2045])
 (user=elver job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:8901:b0:488:d228:a133
 with SMTP id 5b1f17b1804b1-488fb778d15mr138129125e9.14.1776685754892; Mon, 20
 Apr 2026 04:49:14 -0700 (PDT)
Date: Mon, 20 Apr 2026 13:47:26 +0200
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
X-Mailer: git-send-email 2.54.0.rc1.513.gad8abe7a5a-goog
Message-ID: <20260420114805.3572606-2-elver@google.com>
Subject: [PATCH] vmalloc: fix buffer overflow in vrealloc_node_align()
From: Marco Elver <elver@google.com>
To: elver@google.com, Vlastimil Babka <vbabka@kernel.org>, 
	Andrew Morton <akpm@linux-foundation.org>
Cc: Uladzislau Rezki <urezki@gmail.com>, linux-mm@kvack.org, linux-kernel@vger.kernel.org, 
	kasan-dev@googlegroups.com, Vitaly Wool <vitaly.wool@konsulko.se>, 
	stable@vger.kernel.org, "Harry Yoo (Oracle)" <harry@kernel.org>
Content-Type: text/plain; charset="UTF-8"

Commit 4c5d3365882d ("mm/vmalloc: allow to set node and align in
vrealloc") added the ability to force a new allocation if the current
pointer is on the wrong NUMA node, or if an alignment constraint is not
met, even if the user is shrinking the allocation.

On this path (need_realloc), the code allocates a new object of 'size'
bytes and then memcpy()s 'old_size' bytes into it. If the request is to
shrink the object (size < old_size), this results in an out-of-bounds
write on the new buffer.

Fix this by bounding the copy length by the new allocation size.

Fixes: 4c5d3365882d ("mm/vmalloc: allow to set node and align in vrealloc")
Cc: <stable@vger.kernel.org>
Reported-by: Harry Yoo (Oracle) <harry@kernel.org>
Signed-off-by: Marco Elver <elver@google.com>
---
 mm/vmalloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index 61caa55a4402..8b1124158f54 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -4361,7 +4361,7 @@ void *vrealloc_node_align_noprof(const void *p, size_t size, unsigned long align
 		return NULL;
 
 	if (p) {
-		memcpy(n, p, old_size);
+		memcpy(n, p, min(size, old_size));
 		vfree(p);
 	}
 
-- 
2.54.0.rc1.513.gad8abe7a5a-goog