[PATCH] mm/zsmalloc: prevent integer overflow in obj

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] mm/zsmalloc: prevent integer overflow in obj_free
@ 2025-03-13 11:51 Anastasia Belova
  2025-03-13 14:42 ` Sergey Senozhatsky
  0 siblings, 1 reply; 4+ messages in thread
From: Anastasia Belova @ 2025-03-13 11:51 UTC (permalink / raw)
  To: Minchan Kim
  Cc: Anastasia Belova, Sergey Senozhatsky, Andrew Morton, linux-mm,
	linux-kernel, lvc-project

The result of multiplication of class_size and f_objidx
may not fit unsigned integer. Add explicit casting to
unsigned long to prevent integer overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: bfd093f5e7f0 ("zsmalloc: use freeobj for index")
Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
---
 mm/zsmalloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c
index 6d0e47f7ae33..96e0b04ff278 100644
--- a/mm/zsmalloc.c
+++ b/mm/zsmalloc.c
@@ -1421,7 +1421,7 @@ static void obj_free(int class_size, unsigned long obj)
 
 
 	obj_to_location(obj, &f_zpdesc, &f_objidx);
-	f_offset = offset_in_page(class_size * f_objidx);
+	f_offset = offset_in_page((unsigned long)class_size * f_objidx);
 	zspage = get_zspage(f_zpdesc);
 
 	vaddr = kmap_local_zpdesc(f_zpdesc);
-- 
2.43.0



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] mm/zsmalloc: prevent integer overflow in obj_free
  2025-03-13 11:51 [PATCH] mm/zsmalloc: prevent integer overflow in obj_free Anastasia Belova
@ 2025-03-13 14:42 ` Sergey Senozhatsky
  2025-03-20  9:12   ` Anastasia Belova
  0 siblings, 1 reply; 4+ messages in thread
From: Sergey Senozhatsky @ 2025-03-13 14:42 UTC (permalink / raw)
  To: Anastasia Belova
  Cc: Minchan Kim, Sergey Senozhatsky, Andrew Morton, linux-mm,
	linux-kernel, lvc-project

On (25/03/13 14:51), Anastasia Belova wrote:
> The result of multiplication of class_size and f_objidx
> may not fit unsigned integer. Add explicit casting to
> unsigned long to prevent integer overflow.

I can't see how this can be possible.  Neither size_class nor
object idx can take values to cause mul overflow.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] mm/zsmalloc: prevent integer overflow in obj_free
  2025-03-13 14:42 ` Sergey Senozhatsky
@ 2025-03-20  9:12   ` Anastasia Belova
  2025-03-25  3:24     ` Sergey Senozhatsky
  0 siblings, 1 reply; 4+ messages in thread
From: Anastasia Belova @ 2025-03-20  9:12 UTC (permalink / raw)
  To: Sergey Senozhatsky
  Cc: Minchan Kim, Andrew Morton, linux-mm, linux-kernel, lvc-project


On 3/13/25 5:42 PM, Sergey Senozhatsky wrote:
> On (25/03/13 14:51), Anastasia Belova wrote:
>> The result of multiplication of class_size and f_objidx
>> may not fit unsigned integer. Add explicit casting to
>> unsigned long to prevent integer overflow.
> I can't see how this can be possible.  Neither size_class nor
> object idx can take values to cause mul overflow.

object index may be up to OBJ_INDEX_MASK = ((_AC(1, UL) << 
OBJ_INDEX_BITS) - 1)
= ((_AC(1, UL) << PAGE_SHIFT) - 1)

class_size may be up to ZS_MAX_ALLOC_SIZE = PAGE_SIZE.

If address (and unsigned long) is 64-bit, the result of multiplication
won't fit 32-bit integer. Please correct me if I'm wrong.

Best regards,
Anastasia Belova


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] mm/zsmalloc: prevent integer overflow in obj_free
  2025-03-20  9:12   ` Anastasia Belova
@ 2025-03-25  3:24     ` Sergey Senozhatsky
  0 siblings, 0 replies; 4+ messages in thread
From: Sergey Senozhatsky @ 2025-03-25  3:24 UTC (permalink / raw)
  To: Anastasia Belova
  Cc: Sergey Senozhatsky, Minchan Kim, Andrew Morton, linux-mm,
	linux-kernel, lvc-project

On (25/03/20 12:12), Anastasia Belova wrote:
> If address (and unsigned long) is 64-bit, the result of multiplication
> won't fit 32-bit integer. Please correct me if I'm wrong.

Even if we'd consider s32 that should be an object offset of more
than 2B bytes within its zspage, we never have anything like this.


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-03-25  3:24 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-03-13 11:51 [PATCH] mm/zsmalloc: prevent integer overflow in obj_free Anastasia Belova
2025-03-13 14:42 ` Sergey Senozhatsky
2025-03-20  9:12   ` Anastasia Belova
2025-03-25  3:24     ` Sergey Senozhatsky

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox