| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250922170357.148588-1-viswanathiyyappan@gmail.com>
Date: Mon, 22 Sep 2025 22:33:57 +0530
From: I Viswanath <viswanathiyyappan@...il.com>
To: vbabka@...e.cz,
akpm@...ux-foundation.org,
cl@...two.org,
rientjes@...gle.com,
roman.gushchin@...ux.dev,
harry.yoo@...cle.com
Cc: linux-mm@...ck.org,
linux-kernel@...r.kernel.org,
skhan@...uxfoundation.org,
david.hunter.linux@...il.com,
linux-kernel-mentees@...ts.linux.dev,
I Viswanath <viswanathiyyappan@...il.com>,
syzbot+94d20db923b9f51be0df@...kaller.appspotmail.com
Subject: [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions
syzbot reported WARNING in max_vclocks_store.
This occurs when the size argument fits into a u32 but is too large
to allocate, i.e., when it's between KMALLOC_MAX_SIZE + 1
and UINT_MAX (both limits included)
Add validation to kmalloc_array_noprof() and related functions to
return early if the requested size exceeds KMALLOC_MAX_SIZE.
This seems like the most reasonable place for this guard.
Would it be a good idea to move the check down to
the lower level functions like __kmalloc_node_noprof()?
Moving it up is not a good idea because
max_vclocks_store shouldn't reason around KMALLOC_MAX_SIZE,
a mm specific macro.
Should the Fixes: commit here be the one in which this file
was added?
Reported-by: syzbot+94d20db923b9f51be0df@...kaller.appspotmail.com
Tested-by: syzbot+94d20db923b9f51be0df@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=94d20db923b9f51be0df
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: I Viswanath <viswanathiyyappan@...il.com>
---
include/linux/slab.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/include/linux/slab.h b/include/linux/slab.h
index d5a8ab98035c..6db15c5b2ce7 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -943,7 +943,7 @@ static inline __alloc_size(1, 2) void *kmalloc_array_noprof(size_t n, size_t siz
{
size_t bytes;
- if (unlikely(check_mul_overflow(n, size, &bytes)))
+ if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
return NULL;
return kmalloc_noprof(bytes, flags);
}
@@ -973,7 +973,7 @@ static inline __realloc_size(2, 3) void * __must_check krealloc_array_noprof(voi
{
size_t bytes;
- if (unlikely(check_mul_overflow(new_n, new_size, &bytes)))
+ if (unlikely(check_mul_overflow(new_n, new_size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
return NULL;
return krealloc_noprof(p, bytes, flags);
@@ -1013,7 +1013,7 @@ static inline __alloc_size(1, 2) void *kmalloc_array_node_noprof(size_t n, size_
{
size_t bytes;
- if (unlikely(check_mul_overflow(n, size, &bytes)))
+ if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
return NULL;
if (__builtin_constant_p(n) && __builtin_constant_p(size))
return kmalloc_node_noprof(bytes, flags, node);
@@ -1059,7 +1059,7 @@ kvmalloc_array_node_noprof(size_t n, size_t size, gfp_t flags, int node)
{
size_t bytes;
- if (unlikely(check_mul_overflow(n, size, &bytes)))
+ if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
return NULL;
return kvmalloc_node_noprof(bytes, flags, node);
--
2.47.3
Powered by blists - more mailing lists