Re: [PATCH v2 1/2] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id

Next message: Kaustabh Chakraborty: "Re: [PATCH 1/7] arm64: dts: exynos7870: relocate ${x}-names property after ${x}"
Previous message: Jan Beulich: "Re: [PATCH] drivers/xen/xenbus: Replace deprecated strcpy in xenbus_transaction_end"
In reply to: Lukas Wunner: "Re: [PATCH v2 1/2] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id"
Next in thread: Lukas Wunner: "Re: [PATCH v2 1/2] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Thorsten Blum

Date: Mon Oct 13 2025 - 04:23:08 EST

On 13. Oct 2025, at 08:24, Lukas Wunner wrote:
> On Sun, Oct 12, 2025 at 10:38:40PM +0200, Thorsten Blum wrote:
>> +++ b/crypto/asymmetric_keys/asymmetric_type.c
>> @@ -141,12 +142,14 @@ struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1,
>> size_t len_2)
>> {
>> struct asymmetric_key_id *kid;
>> + size_t len;
>>
>> - kid = kmalloc(sizeof(struct asymmetric_key_id) + len_1 + len_2,
>> - GFP_KERNEL);
>> + if (check_add_overflow(len_1, len_2, &len))
>> + return ERR_PTR(-EOVERFLOW);
>> + kid = kmalloc(struct_size(kid, data, len), GFP_KERNEL);
>
> This will add (at least) 2 bytes to len (namely the size of struct
> asymmetric_key_id)) and may cause an overflow (even if len_1 + len_2
> did not overflow).

Could you explain which part adds "(at least) 2 bytes to len"?

Thanks,
Thorsten