Thread (12 messages) 12 messages, 4 authors, 2023-09-05

RE: [PATCH net] net: deal with integer overflows in kmalloc_reserve()

From: David Laight <hidden>
Date: 2023-09-04 08:41:16 

From: Eric Dumazet
Sent: 31 August 2023 19:38

Blamed commit changed:
    ptr = kmalloc(size);
    if (ptr)
      size = ksize(ptr);

to:
    size = kmalloc_size_roundup(size);
    ptr = kmalloc(size);

This allowed various crash as reported by syzbot [1]
and Kyle Zeng.

Problem is that if @size is bigger than 0x80000001,
kmalloc_size_roundup(size) returns 2^32.

kmalloc_reserve() uses a 32bit variable (obj_size),
so 2^32 is truncated to 0.
Can this happen on 32bit arch?
In that case kmalloc_size_roundup() will return 0.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help