[PATCH v2 2/2] lib/ts_kmp: fix integer overflow in pattern length calculation

Next message: Jonathan Cameron: "Re: [PATCH RFC 0/8] AD9910 Direct Digital Synthesizer"
Previous message: Josh Law: "[PATCH v2 1/2] lib/ts_bm: fix integer overflow in pattern length calculation"
In reply to: Josh Law: "[PATCH v2 1/2] lib/ts_bm: fix integer overflow in pattern length calculation"
Next in thread: Andrew Morton: "Re: [PATCH v2 1/2] lib/ts_bm: fix integer overflow in pattern length calculation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Josh Law

Date: Sun Mar 08 2026 - 14:11:46 EST

From: Josh Law <objecting@xxxxxxxxxxxxx>

The ts_kmp algorithm computes the required allocation size by
multiplying the pattern length by the size of an integer. If the
pattern length is sufficiently large, this can overflow the 32-bit
unsigned int before it is widened to size_t. This could result in an
undersized allocation and a subsequent heap buffer overflow when
copying the pattern.

Fix this by explicitly checking that the length does not exceed
the maximum safe threshold before calculating the buffer sizes.

Signed-off-by: Josh Law <objecting@xxxxxxxxxxxxx>
---
lib/ts_kmp.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/lib/ts_kmp.c b/lib/ts_kmp.c
index 5520dc28255a..e07f5e80d076 100644
--- a/lib/ts_kmp.c
+++ b/lib/ts_kmp.c
@@ -97,6 +97,9 @@ static struct ts_config *kmp_init(const void *pattern, unsigned int len,
unsigned int prefix_tbl_len = len * sizeof(unsigned int);
size_t priv_size = sizeof(*kmp) + len + prefix_tbl_len;

+ if (unlikely(len == 0 || len > (UINT_MAX - sizeof(*kmp)) / (sizeof(unsigned int) + 1)))
+ return ERR_PTR(-EINVAL);
+
conf = alloc_ts_config(priv_size, gfp_mask);
if (IS_ERR(conf))
return conf;
--
2.43.0