git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Josh Law <objecting@objecting.org>
	Sun, 8 Mar 2026 20:20:28 +0000 (20:20 +0000)
committer	Andrew Morton <akpm@linux-foundation.org>
	Sat, 28 Mar 2026 04:19:44 +0000 (21:19 -0700)
commit	8cdf30813ea8ce881cecc08664144416dbdb3e16
tree	03bbb6bc20fa01c84992a6b4c3011792fcfaadca	tree \| snapshot
parent	9003ec6f7f394943880618737d797a9f257e6e1e	commit \| diff

lib/ts_kmp: fix integer overflow in pattern length calculation

The ts_kmp algorithm stores its prefix_tbl[] table and pattern in a single
allocation sized from the pattern length. If the prefix_tbl[] size
calculation wraps, the resulting allocation can be too small and
subsequent pattern copies can overflow it.

Fix this by rejecting zero-length patterns and by using overflow helpers
before calculating the combined allocation size.

This fixes a potential heap overflow. The pattern length calculation can
wrap during a size_t addition, leading to an undersized allocation.
Because the textsearch library is reachable from userspace via Netfilter's
xt_string module, this is a security risk that should be backported to LTS
kernels.

Link: https://lkml.kernel.org/r/20260308202028.2889285-2-objecting@objecting.org
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>