[PATCH 1/1] netfilter: ipset: Fix oversized kvmalloc() calls

From: Jozsef Kadlecsik
Date: Mon Sep 06 2021 - 12:26:41 EST


The commit

commit 7661809d493b426e979f39ab512e3adf41fbcc69
Author: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Date: Wed Jul 14 09:45:49 2021 -0700

mm: don't allow oversized kvmalloc() calls

limits the max allocatable memory via kvmalloc() to MAX_INT. Apply the
same limit in ipset.

Reported-by: syzbot+3493b1873fb3ea827986@xxxxxxxxxxxxxxxxxxxxxxxxx
Reported-by: syzbot+2b8443c35458a617c904@xxxxxxxxxxxxxxxxxxxxxxxxx
Reported-by: syzbot+ee5cb15f4a0e85e0d54e@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx>
---
net/netfilter/ipset/ip_set_hash_gen.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 6186358eac7c..6e391308431d 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -130,11 +130,11 @@ htable_size(u8 hbits)
{
size_t hsize;

- /* We must fit both into u32 in jhash and size_t */
+ /* We must fit both into u32 in jhash and INT_MAX in kvmalloc_node() */
if (hbits > 31)
return 0;
hsize = jhash_size(hbits);
- if ((((size_t)-1) - sizeof(struct htable)) / sizeof(struct hbucket *)
+ if ((INT_MAX - sizeof(struct htable)) / sizeof(struct hbucket *)
< hsize)
return 0;

--
2.20.1

Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary