Re: [PATCH v2 1/2] lib/ts_bm: fix integer overflow in pattern length calculation

From: Josh Law

Date: Sun Mar 08 2026 - 16:06:23 EST

8 Mar 2026 19:55:20 Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>:

> On Sun,  8 Mar 2026 18:10:53 +0000 Josh Law <hlcj1234567@xxxxxxxxx> wrote:
>
>> From: Josh Law <objecting@xxxxxxxxxxxxx>
>>
>> The ts_bm algorithm computes the required allocation size by
>> multiplying the pattern length by the size of an integer. If the
>> pattern length is sufficiently large, this can overflow the 32-bit
>> unsigned int before it is widened to size_t. This could result in an
>> undersized allocation and a subsequent heap buffer overflow when
>> copying the pattern.
>>
>> Fix this by explicitly checking that the length does not exceed
>> the maximum safe threshold before calculating the buffer sizes.
>>
>> ...
>>
>> --- a/lib/ts_bm.c
>> +++ b/lib/ts_bm.c
>> @@ -166,6 +166,9 @@ static struct ts_config *bm_init(const void *pattern, unsigned int len,
>>     unsigned int prefix_tbl_len = len * sizeof(unsigned int);
>>     size_t priv_size = sizeof(*bm) + len + prefix_tbl_len;
>
> The above description is referring to this expression?
>
> I think the uints will be promoted to size_t before the addition occurs?
>
> If you're referring to the prefix_tbl_len initialization then yes,
> overflow could happen.
>
>> +   if (unlikely(len == 0 || len > (UINT_MAX - sizeof(*bm)) / (sizeof(unsigned int) + 1)))
>> +       return ERR_PTR(-EINVAL);
>
> Seems odd to perform these (uncommented!) checks after having performed
> the problematic operations.  Something like:
>
>     unsigned int prefix_tbl_len;
>     size_t priv_size;
>
>     /* Explanatory comment goes here */
>     /* Can this actually happen? */
>     if (unlikely(len == 0))
>         return ERR_PTR(-EINVAL);
>
>     /* Explanatory comment goes here */
>     if (unlikely(len > (UINT_MAX - sizeof(*bm)) / (sizeof(unsigned int) + 1))
>         return ERR_PTR(-EINVAL);
>
>     prefix_tbl_len = len * sizeof(unsigned int);
>     priv_size = sizeof(*bm) + len + prefix_tbl_len;
>
>
> Also, please check the various helpers in overflow.h.

Yeah, I'm fixing that now, I also submitted a couple other patches you may want to have a look at


V/R


Josh law