Re: [PATCH] vmalloc: fix buffer overflow in vrealloc_node_align()

Next message: Jonathan Cameron: "Re: [PATCH v2] iio: dac: mcp47feb02: Fix passing uninitialized vref1_uV for no Vref1 case"
Previous message: Dmitry Baryshkov: "Re: [PATCH v3 2/2] drm/bridge: This patch add new DRM bridge driver for LT9611C(EX/UXD) chip"
In reply to: Uladzislau Rezki: "Re: [PATCH] vmalloc: fix buffer overflow in vrealloc_node_align()"
Next in thread: Harry Yoo (Oracle): "Re: [PATCH] vmalloc: fix buffer overflow in vrealloc_node_align()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vlastimil Babka (SUSE)

Date: Mon Apr 20 2026 - 08:22:02 EST

On 4/20/26 13:47, Marco Elver wrote:
> Commit 4c5d3365882d ("mm/vmalloc: allow to set node and align in
> vrealloc") added the ability to force a new allocation if the current
> pointer is on the wrong NUMA node, or if an alignment constraint is not
> met, even if the user is shrinking the allocation.
>
> On this path (need_realloc), the code allocates a new object of 'size'
> bytes and then memcpy()s 'old_size' bytes into it. If the request is to
> shrink the object (size < old_size), this results in an out-of-bounds
> write on the new buffer.
>
> Fix this by bounding the copy length by the new allocation size.
>
> Fixes: 4c5d3365882d ("mm/vmalloc: allow to set node and align in vrealloc")
> Cc: <stable@xxxxxxxxxxxxxxx>
> Reported-by: Harry Yoo (Oracle) <harry@xxxxxxxxxx>
> Signed-off-by: Marco Elver <elver@xxxxxxxxxx>

Acked-by: Vlastimil Babka (SUSE) <vbabka@xxxxxxxxxx>

> ---
> mm/vmalloc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/vmalloc.c b/mm/vmalloc.c
> index 61caa55a4402..8b1124158f54 100644
> --- a/mm/vmalloc.c
> +++ b/mm/vmalloc.c
> @@ -4361,7 +4361,7 @@ void *vrealloc_node_align_noprof(const void *p, size_t size, unsigned long align
> return NULL;
>
> if (p) {
> - memcpy(n, p, old_size);
> + memcpy(n, p, min(size, old_size));
> vfree(p);
> }
>