1. Patchew
  2. linux
  3. View series

[PATCH] mm/zsmalloc: prevent integer overflow in obj_free

Anastasia Belova posted 1 patch 9 months, 1 week ago 
mm/zsmalloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] mm/zsmalloc: prevent integer overflow in obj_free
Posted by Anastasia Belova 9 months, 1 week ago 
The result of multiplication of class_size and f_objidx
may not fit unsigned integer. Add explicit casting to
unsigned long to prevent integer overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: bfd093f5e7f0 ("zsmalloc: use freeobj for index")
Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
---
 mm/zsmalloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c
index 6d0e47f7ae33..96e0b04ff278 100644
--- a/mm/zsmalloc.c
+++ b/mm/zsmalloc.c
@@ -1421,7 +1421,7 @@ static void obj_free(int class_size, unsigned long obj)
 
 
 	obj_to_location(obj, &f_zpdesc, &f_objidx);
-	f_offset = offset_in_page(class_size * f_objidx);
+	f_offset = offset_in_page((unsigned long)class_size * f_objidx);
 	zspage = get_zspage(f_zpdesc);
 
 	vaddr = kmap_local_zpdesc(f_zpdesc);
-- 
2.43.0
Re: [PATCH] mm/zsmalloc: prevent integer overflow in obj_free
Posted by Sergey Senozhatsky 9 months, 1 week ago 
On (25/03/13 14:51), Anastasia Belova wrote:
> The result of multiplication of class_size and f_objidx
> may not fit unsigned integer. Add explicit casting to
> unsigned long to prevent integer overflow.

I can't see how this can be possible.  Neither size_class nor
object idx can take values to cause mul overflow.
Re: [PATCH] mm/zsmalloc: prevent integer overflow in obj_free
Posted by Anastasia Belova 9 months ago 
On 3/13/25 5:42 PM, Sergey Senozhatsky wrote:
> On (25/03/13 14:51), Anastasia Belova wrote:
>> The result of multiplication of class_size and f_objidx
>> may not fit unsigned integer. Add explicit casting to
>> unsigned long to prevent integer overflow.
> I can't see how this can be possible.  Neither size_class nor
> object idx can take values to cause mul overflow.

object index may be up to OBJ_INDEX_MASK = ((_AC(1, UL) << 
OBJ_INDEX_BITS) - 1)
= ((_AC(1, UL) << PAGE_SHIFT) - 1)

class_size may be up to ZS_MAX_ALLOC_SIZE = PAGE_SIZE.

If address (and unsigned long) is 64-bit, the result of multiplication
won't fit 32-bit integer. Please correct me if I'm wrong.

Best regards,
Anastasia Belova
Re: [PATCH] mm/zsmalloc: prevent integer overflow in obj_free
Posted by Sergey Senozhatsky 8 months, 3 weeks ago 
On (25/03/20 12:12), Anastasia Belova wrote:
> If address (and unsigned long) is 64-bit, the result of multiplication
> won't fit 32-bit integer. Please correct me if I'm wrong.

Even if we'd consider s32 that should be an object offset of more
than 2B bytes within its zspage, we never have anything like this.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.