On Mon, Apr 21, 2025 at 08:05:43PM +0800, Herbert Xu wrote:
> On Mon, Apr 21, 2025 at 01:51:06PM +0800, Su Hui wrote:
> >
> > @@ -433,7 +434,7 @@ static inline struct aead_request *aead_request_alloc(struct crypto_aead *tfm,
> > {
> > struct aead_request *req;
> >
> > - req = kmalloc(sizeof(*req) + crypto_aead_reqsize(tfm), gfp);
> > + req = kmalloc(size_add(sizeof(*req), crypto_aead_reqsize(tfm)), gfp);
>
> This is just wrong. You should fail the allocation altogether
> rather than proceeding with a length that is insufficient.
When size_add() overflows then it returns SIZE_MAX. None of the
allocation functions can allocate SIZE_MAX bytes so kmalloc() will
fail and that's already handled correctly. Meanwhile if
"sizeof(*req) + crypto_aead_reqsize(tfm)" overflows then the
allocation will succeed and it results in memory corruption.
This is exactly what Kees did with the mass conversion to
struct_size(). I occasionally run across places where Kees's mass
conversion patches did fix real integer overflow bugs.
regards,
dan carpenter
