Re: [PATCH v2 1/2] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id

Next message: syzbot: "[syzbot] Monthly integrity report (Oct 2025)"
Previous message: David Hildenbrand: "Re: [PATCH v4] hugetlbfs: check for shareable lock before calling huge_pmd_unshare()"
In reply to: Thorsten Blum: "Re: [PATCH v2 1/2] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Lukas Wunner

Date: Mon Oct 13 2025 - 04:31:26 EST

On Mon, Oct 13, 2025 at 10:23:01AM +0200, Thorsten Blum wrote:
> On 13. Oct 2025, at 08:24, Lukas Wunner wrote:
> > On Sun, Oct 12, 2025 at 10:38:40PM +0200, Thorsten Blum wrote:
> >> +++ b/crypto/asymmetric_keys/asymmetric_type.c
> >> @@ -141,12 +142,14 @@ struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1,
> >> size_t len_2)
> >> {
> >> struct asymmetric_key_id *kid;
> >> + size_t len;
> >>
> >> - kid = kmalloc(sizeof(struct asymmetric_key_id) + len_1 + len_2,
> >> - GFP_KERNEL);
> >> + if (check_add_overflow(len_1, len_2, &len))
> >> + return ERR_PTR(-EOVERFLOW);
> >> + kid = kmalloc(struct_size(kid, data, len), GFP_KERNEL);
> >
> > This will add (at least) 2 bytes to len (namely the size of struct
> > asymmetric_key_id)) and may cause an overflow (even if len_1 + len_2
> > did not overflow).
>
> Could you explain which part adds "(at least) 2 bytes to len"?

The struct_size() macro performs another size_add() to add the
size of struct asymmetric_key_id (which is at least 2 bytes) to len:

#define struct_size(p, member, count) \
__builtin_choose_expr(__is_constexpr(count), \
sizeof(*(p)) + flex_array_size(p, member, count), \
size_add(sizeof(*(p)), flex_array_size(p, member, count)))
^^^^^^^^

So there's an addition of three numbers, yet you're only checking that
the addition of two of them doesn't overflow.

Thanks,

Lukas