lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ad70d906-8889-40d3-9af6-6a2be68faf77@astralinux.ru>
Date: Thu, 20 Mar 2025 12:12:27 +0300
From: Anastasia Belova <abelova@...ralinux.ru>
To: Sergey Senozhatsky <senozhatsky@...omium.org>
Cc: Minchan Kim <minchan@...nel.org>,
 Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
 linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH] mm/zsmalloc: prevent integer overflow in obj_free


On 3/13/25 5:42 PM, Sergey Senozhatsky wrote:
> On (25/03/13 14:51), Anastasia Belova wrote:
>> The result of multiplication of class_size and f_objidx
>> may not fit unsigned integer. Add explicit casting to
>> unsigned long to prevent integer overflow.
> I can't see how this can be possible.  Neither size_class nor
> object idx can take values to cause mul overflow.

object index may be up to OBJ_INDEX_MASK = ((_AC(1, UL) << 
OBJ_INDEX_BITS) - 1)
= ((_AC(1, UL) << PAGE_SHIFT) - 1)

class_size may be up to ZS_MAX_ALLOC_SIZE = PAGE_SIZE.

If address (and unsigned long) is 64-bit, the result of multiplication
won't fit 32-bit integer. Please correct me if I'm wrong.

Best regards,
Anastasia Belova

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ