The fscache_set_key() function allocates the buf pointer if index_key_len > sizeof(cookie->inline_key).
In such cases the allocated space might not be aligned with the pointer type.
This may result in an out-of-bound in the for-loop later in the same function, as the counter is rounded up.
Signed-off-by: Tomas Bortoli <tomasbortoli@xxxxxxxxx>
Reported-by: syzbot+a95b989b2dde8e806af8@xxxxxxxxxxxxxxxxxxxxxxxxx
---
fs/fscache/cookie.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
index 97137d7ec5ee..ed28bfb6a0fe 100644
--- a/fs/fscache/cookie.c
+++ b/fs/fscache/cookie.c
@@ -98,7 +98,7 @@ static int fscache_set_key(struct fscache_cookie *cookie,
cookie->key_len = index_key_len;
if (index_key_len > sizeof(cookie->inline_key)) {
- buf = kzalloc(index_key_len, GFP_KERNEL);
+ buf = kzalloc(round_up(index_key_len, sizeof(u32)), GFP_KERNEL);
if (!buf)
return -ENOMEM;
cookie->key = buf;
--
2.11.0
--
Linux-cachefs mailing list
Linux-cachefs@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/linux-cachefs
