On Mon, Oct 13, 2025 at 10:23:01AM +0200, Thorsten Blum wrote:
On 13. Oct 2025, at 08:24, Lukas Wunner wrote:
On Sun, Oct 12, 2025 at 10:38:40PM +0200, Thorsten Blum wrote:
+++ b/crypto/asymmetric_keys/asymmetric_type.c @@ -141,12 +142,14 @@ struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1, size_t len_2) { struct asymmetric_key_id *kid;
- size_t len;
- kid = kmalloc(sizeof(struct asymmetric_key_id) + len_1 + len_2,
GFP_KERNEL);
- if (check_add_overflow(len_1, len_2, &len))
return ERR_PTR(-EOVERFLOW);- kid = kmalloc(struct_size(kid, data, len), GFP_KERNEL);
This will add (at least) 2 bytes to len (namely the size of struct asymmetric_key_id)) and may cause an overflow (even if len_1 + len_2 did not overflow).
Could you explain which part adds "(at least) 2 bytes to len"?
The struct_size() macro performs another size_add() to add the size of struct asymmetric_key_id (which is at least 2 bytes) to len:
#define struct_size(p, member, count) \ __builtin_choose_expr(__is_constexpr(count), \ sizeof(*(p)) + flex_array_size(p, member, count), \ size_add(sizeof(*(p)), flex_array_size(p, member, count))) ^^^^^^^^
So there's an addition of three numbers, yet you're only checking that the addition of two of them doesn't overflow.
Thanks,
Lukas