| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250923061344.GT5333@twin.jikos.cz> Date: Tue, 23 Sep 2025 08:13:44 +0200 From: David Sterba <dsterba@...e.cz> To: Miquel Sabaté Solà <mssola@...ola.com> Cc: David Sterba <dsterba@...e.cz>, linux-btrfs@...r.kernel.org, clm@...com, dsterba@...e.com, linux-kernel@...r.kernel.org Subject: Re: [PATCH 1/2] btrfs: Prevent open-coded arithmetic in kmalloc On Mon, Sep 22, 2025 at 02:47:13PM +0200, Miquel Sabaté Solà wrote: > Hello, > > David Sterba @ 2025-09-22 12:28 +02: > > > On Fri, Sep 19, 2025 at 04:58:15PM +0200, Miquel Sabaté Solà wrote: > >> As pointed out in the documentation, calling 'kmalloc' with open-coded > >> arithmetic can lead to unfortunate overflows and this particular way of > >> using it has been deprecated. Instead, it's preferred to use > >> 'kmalloc_array' in cases where it might apply so an overflow check is > >> performed. > > > > So this is an API cleanup and it makes sense to use the checked > > multiplication but it should be also said that this is not fixing any > > overflow because in all cases the multipliers are bounded small numbers > > derived from number of items in leaves/nodes. > > Yes, it's just an API cleanup and I don't think it fixes any current bug > in the code base. So no need to CC stable or anything like that. Still the changelog should say explicitly that it's not a bug fix before somebody assigns a CVE to it because it mentions overflow.
Powered by blists - more mailing lists