Re: [PATCH] mm/zsmalloc: prevent integer overflow in obj_free

From: Anastasia Belova
Date: Thu Mar 20 2025 - 05:12:56 EST



On 3/13/25 5:42 PM, Sergey Senozhatsky wrote:
On (25/03/13 14:51), Anastasia Belova wrote:
The result of multiplication of class_size and f_objidx
may not fit unsigned integer. Add explicit casting to
unsigned long to prevent integer overflow.
I can't see how this can be possible. Neither size_class nor
object idx can take values to cause mul overflow.

object index may be up to OBJ_INDEX_MASK = ((_AC(1, UL) << OBJ_INDEX_BITS) - 1)
= ((_AC(1, UL) << PAGE_SHIFT) - 1)

class_size may be up to ZS_MAX_ALLOC_SIZE = PAGE_SIZE.

If address (and unsigned long) is 64-bit, the result of multiplication
won't fit 32-bit integer. Please correct me if I'm wrong.

Best regards,
Anastasia Belova