git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Josh Law <objecting@objecting.org>
	Sun, 8 Mar 2026 20:20:27 +0000 (20:20 +0000)
committer	Andrew Morton <akpm@linux-foundation.org>
	Sat, 28 Mar 2026 04:19:44 +0000 (21:19 -0700)
commit	9003ec6f7f394943880618737d797a9f257e6e1e
tree	b90373f19ebcb71184f6bc9febce450e18c29426	tree \| snapshot
parent	7aa89307fcbff038a13c3891e2e94674adc59237	commit \| diff

lib/ts_bm: fix integer overflow in pattern length calculation

The ts_bm algorithm stores its good_shift[] table and pattern in a single
allocation sized from the pattern length. If the good_shift[] size
calculation wraps, the resulting allocation can be too small and
subsequent pattern copies can overflow it.

Fix this by rejecting zero-length patterns and by using overflow helpers
before calculating the combined allocation size.

This fixes a potential heap overflow. The pattern length calculation can
wrap during a size_t addition, leading to an undersized allocation.
Because the textsearch library is reachable from userspace via Netfilter's
xt_string module, this is a security risk that should be backported to LTS
kernels.

Link: https://lkml.kernel.org/r/20260308202028.2889285-1-objecting@objecting.org
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>