Commit 82d1f012 authored Apr 20, 2026 by Marco Elver Committed by Andrew Morton Apr 27, 2026

vmalloc: fix buffer overflow in vrealloc_node_align()

Commit 4c5d3365 ("mm/vmalloc: allow to set node and align in
vrealloc") added the ability to force a new allocation if the current
pointer is on the wrong NUMA node, or if an alignment constraint is not
met, even if the user is shrinking the allocation.

On this path (need_realloc), the code allocates a new object of 'size'
bytes and then memcpy()s 'old_size' bytes into it.  If the request is to
shrink the object (size < old_size), this results in an out-of-bounds
write on the new buffer.

Fix this by bounding the copy length by the new allocation size.

Link: https://lore.kernel.org/20260420114805.3572606-2-elver@google.com


Fixes: 4c5d3365 ("mm/vmalloc: allow to set node and align in vrealloc")
Signed-off-by: Marco Elver <elver@google.com>
Reported-by: Harry Yoo (Oracle) <harry@kernel.org>
Reviewed-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
Reviewed-by: Harry Yoo (Oracle) <harry@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

parent 254f4963

mm/vmalloc.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -4361,7 +4361,7 @@ void vrealloc_node_align_noprof(const void p, size_t size, unsigned long align
		return NULL;

		if (p) {
		memcpy(n, p, old_size);
		memcpy(n, p, min(size, old_size));
		vfree(p);
		}