[PATCH v2 0/2] libnvdimm/labels: fix the nslot product overflow and cap the slot count
From: Bryam Vargas via B4 Relay
Date: Wed Jun 24 2026 - 00:19:50 EST
The on-media namespace index nslot is a u32 read from the DIMM label area,
or written from userspace via ND_CMD_SET_CONFIG_DATA. __nd_label_validate()
bounds nslot against config_size, but the product nslot * label_size is
evaluated in 32 bits and wraps, so a crafted nslot passes the check and then
drives an out-of-bounds memset in nd_label_data_init().
Patch 1 evaluates the product in 64 bits so the bound is exact; it is the
targeted fix, tagged for stable. Patch 2 caps nslot, so a bogus
firmware-reported config_size cannot admit a large slot count -- and the large
allocation it implies -- even after the product is computed correctly.
The sibling multiply in sizeof_namespace_index() derives nslot from config_size
via nvdimm_num_label_slots(), not the on-media field, so it cannot overflow and
is left unchanged.
Verified on -m64 and -m32: the 64-bit bound agrees with an exact divide-based
check on the boundary and on randomized inputs, and the cap rejects every
wrapping one. The same crafted nslot is an out-of-bounds write on -m32 but not
on -m64 before the fix. An out-of-tree module mirroring nd_label_data_init()
reproduces the KASAN slab-out-of-bounds write unpatched and is clean with
either patch; harness available on request.
A negative ndctl test (test/label-compat.sh, oversize nslot) covering both
patches will follow separately, per Alison's suggestion.
v1 (single patch):
https://lore.kernel.org/all/20260620-b4-disp-7f43b155-v1-1-0cfd8017f7a0@xxxxxxxxx/
v2: split the exact fix and the cap into two patches per review; the
Reviewed-by and Suggested-by are recorded on the respective patches.
Signed-off-by: Bryam Vargas <hexlabsecurity@xxxxxxxxx>
---
Bryam Vargas (2):
libnvdimm/labels: Prevent integer overflow in __nd_label_validate()
libnvdimm/labels: reject an implausibly large on-media slot count
drivers/nvdimm/label.c | 6 +++++-
drivers/nvdimm/label.h | 7 +++++++
2 files changed, 12 insertions(+), 1 deletion(-)
---
base-commit: 502d801f0ab03e4f32f9a33d203154ce84887921
change-id: 20260623-b4-disp-1f2c537a-50ca829a9ea6
Best regards,
--
Bryam Vargas <hexlabsecurity@xxxxxxxxx>