| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2169828c-127c-4bf7-b953-2f1194b72830@stanley.mountain>
Date: Tue, 22 Apr 2025 13:24:22 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Herbert Xu <herbert@...dor.apana.org.au>
Cc: Su Hui <suhui@...china.com>, davem@...emloft.net,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
kernel-janitors@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] crypto: using size_add() for kmalloc()
On Mon, Apr 21, 2025 at 08:05:43PM +0800, Herbert Xu wrote:
> On Mon, Apr 21, 2025 at 01:51:06PM +0800, Su Hui wrote:
> >
> > @@ -433,7 +434,7 @@ static inline struct aead_request *aead_request_alloc(struct crypto_aead *tfm,
> > {
> > struct aead_request *req;
> >
> > - req = kmalloc(sizeof(*req) + crypto_aead_reqsize(tfm), gfp);
> > + req = kmalloc(size_add(sizeof(*req), crypto_aead_reqsize(tfm)), gfp);
>
> This is just wrong. You should fail the allocation altogether
> rather than proceeding with a length that is insufficient.
When size_add() overflows then it returns SIZE_MAX. None of the
allocation functions can allocate SIZE_MAX bytes so kmalloc() will
fail and that's already handled correctly. Meanwhile if
"sizeof(*req) + crypto_aead_reqsize(tfm)" overflows then the
allocation will succeed and it results in memory corruption.
This is exactly what Kees did with the mass conversion to
struct_size(). I occasionally run across places where Kees's mass
conversion patches did fix real integer overflow bugs.
regards,
dan carpenter
Powered by blists - more mailing lists