The on-media namespace index nslot is a u32 read from the DIMM label area, or written from userspace via ND_CMD_SET_CONFIG_DATA. __nd_label_validate() bounds nslot against config_size, but the product nslot * label_size is evaluated in 32 bits and wraps, so a crafted nslot passes the check and then drives an out-of-bounds memset in nd_label_data_init().
Patch 1 evaluates the product in 64 bits so the bound is exact; it is the targeted fix, tagged for stable. Patch 2 caps nslot, so a bogus firmware-reported config_size cannot admit a large slot count -- and the large allocation it implies -- even after the product is computed correctly. The sibling multiply in sizeof_namespace_index() derives nslot from config_size via nvdimm_num_label_slots(), not the on-media field, so it cannot overflow and is left unchanged. Verified on -m64 and -m32: the 64-bit bound agrees with an exact divide-based check on the boundary and on randomized inputs, and the cap rejects every wrapping one. The same crafted nslot is an out-of-bounds write on -m32 but not on -m64 before the fix. An out-of-tree module mirroring nd_label_data_init() reproduces the KASAN slab-out-of-bounds write unpatched and is clean with either patch; harness available on request. A negative ndctl test (test/label-compat.sh, oversize nslot) covering both patches will follow separately, per Alison's suggestion. v1 (single patch): https://lore.kernel.org/all/[email protected]/ v2: split the exact fix and the cap into two patches per review; the Reviewed-by and Suggested-by are recorded on the respective patches. Signed-off-by: Bryam Vargas <[email protected]> --- Bryam Vargas (2): libnvdimm/labels: Prevent integer overflow in __nd_label_validate() libnvdimm/labels: reject an implausibly large on-media slot count drivers/nvdimm/label.c | 6 +++++- drivers/nvdimm/label.h | 7 +++++++ 2 files changed, 12 insertions(+), 1 deletion(-) --- base-commit: 502d801f0ab03e4f32f9a33d203154ce84887921 change-id: 20260623-b4-disp-1f2c537a-50ca829a9ea6 Best regards, -- Bryam Vargas <[email protected]>
