| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250920113723.380498-1-kriish.sharma2006@gmail.com>
Date: Sat, 20 Sep 2025 11:37:23 +0000
From: Kriish Sharma <kriish.sharma2006@...il.com>
To: davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
horms@...nel.org,
willemb@...gle.com,
kerneljasonxing@...il.com,
martin.lau@...nel.org,
mhal@...x.co,
almasrymina@...gle.com,
ebiggers@...gle.com,
aleksander.lobakin@...el.com
Cc: netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
skhan@...uxfoundation.org,
Kriish Sharma <kriish.sharma2006@...il.com>,
syzbot+5a2250fd91b28106c37b@...kaller.appspotmail.com
Subject: [PATCH] net: skb: guard kmalloc_reserve() against oversized allocations
Add an explicit size check in kmalloc_reserve() to reject requests
larger than KMALLOC_MAX_SIZE before they reach the allocator.
syzbot reported warnings triggered by attempts to allocate buffers
with an object size exceeding KMALLOC_MAX_SIZE. While the existing
code relies on kmalloc() failure and a comment states that truncation
is "harmless", in practice this causes high-order allocation warnings
and noisy kernel logs that interfere with testing.
This patch introduces an early guard in kmalloc_reserve() that returns
NULL if obj_size exceeds KMALLOC_MAX_SIZE. This ensures impossible
requests fail fast and silently, avoiding allocator warnings while
keeping the intended semantics unchanged.
Fixes: 7fa4d8dc380f ("Add linux-next specific files for 20250821")
Reported-by: syzbot+5a2250fd91b28106c37b@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5a2250fd91b28106c37b
Signed-off-by: Kriish Sharma <kriish.sharma2006@...il.com>
---
net/core/skbuff.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index ee0274417948..98efa95ea038 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -591,6 +591,8 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node,
/* The following cast might truncate high-order bits of obj_size, this
* is harmless because kmalloc(obj_size >= 2^32) will fail anyway.
*/
+ if (unlikely(obj_size > KMALLOC_MAX_SIZE))
+ return NULL;
*size = (unsigned int)obj_size;
/*
--
2.34.1
Powered by blists - more mailing lists