Re: [PATCH v2 1/2] lib/ts_bm: fix integer overflow in pattern length calculation

From: Josh Law

Date: Sun Mar 08 2026 - 16:15:37 EST

8 Mar 2026 20:06:15 Josh Law <hlcj1234567@xxxxxxxxx>:

> 8 Mar 2026 19:55:20 Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>:
>
>> On Sun,  8 Mar 2026 18:10:53 +0000 Josh Law <hlcj1234567@xxxxxxxxx> wrote:
>>
>>> From: Josh Law <objecting@xxxxxxxxxxxxx>
>>>
>>> The ts_bm algorithm computes the required allocation size by
>>> multiplying the pattern length by the size of an integer. If the
>>> pattern length is sufficiently large, this can overflow the 32-bit
>>> unsigned int before it is widened to size_t. This could result in an
>>> undersized allocation and a subsequent heap buffer overflow when
>>> copying the pattern.
>>>
>>> Fix this by explicitly checking that the length does not exceed
>>> the maximum safe threshold before calculating the buffer sizes.
>>>
>>> ...
>>>
>>> --- a/lib/ts_bm.c
>>> +++ b/lib/ts_bm.c
>>> @@ -166,6 +166,9 @@ static struct ts_config *bm_init(const void *pattern, unsigned int len,
>>>     unsigned int prefix_tbl_len = len * sizeof(unsigned int);
>>>     size_t priv_size = sizeof(*bm) + len + prefix_tbl_len;
>>
>> The above description is referring to this expression?
>>
>> I think the uints will be promoted to size_t before the addition occurs?
>>
>> If you're referring to the prefix_tbl_len initialization then yes,
>> overflow could happen.
>>
>>> +   if (unlikely(len == 0 || len > (UINT_MAX - sizeof(*bm)) / (sizeof(unsigned int) + 1)))
>>> +       return ERR_PTR(-EINVAL);
>>
>> Seems odd to perform these (uncommented!) checks after having performed
>> the problematic operations.  Something like:
>>
>>     unsigned int prefix_tbl_len;
>>     size_t priv_size;
>>
>>     /* Explanatory comment goes here */
>>     /* Can this actually happen? */
>>     if (unlikely(len == 0))
>>         return ERR_PTR(-EINVAL);
>>
>>     /* Explanatory comment goes here */
>>     if (unlikely(len > (UINT_MAX - sizeof(*bm)) / (sizeof(unsigned int) + 1))
>>         return ERR_PTR(-EINVAL);
>>
>>     prefix_tbl_len = len * sizeof(unsigned int);
>>     priv_size = sizeof(*bm) + len + prefix_tbl_len;
>>
>>
>> Also, please check the various helpers in overflow.h.
>
> Yeah, I'm fixing that now, I also submitted a couple other patches you may want to have a look at
>
>
> V/R
>
>
> Josh law

Oh and also, sorry for bugging, but I have  a maintainers patch I sent, and another one you need to look at,

V/R


Josh law