| Message ID | 20250116084948.3933834-1-Ilia.Gavrilov@infotecs.ru |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v3] wifi: mac80211: fix integer overflow in hwmp_route_info_get() | expand |
On Thu, 2025-01-16 at 08:49 +0000, Gavrilov Ilia wrote: > Since the new_metric and last_hop_metric variables can reach > the MAX_METRIC(0xffffffff) value, an integer overflow may occur > when multiplying them by 10/9. It can lead to incorrect behavior. > > Found by InfoTeCS on behalf of Linux Verification Center > (linuxtesting.org) with SVACE. > > Fixes: a8d418d9ac25 ("mac80211: mesh: only switch path when new metric is at least 10% better") > Cc: stable@vger.kernel.org Seems a bit overblown for stable, but also don't really care... > +static inline bool is_metric_better(u32 x, u32 y, u32 percent) > +{ You shouldn't put inline here, in general. Also that function probably wants a comment, and the 'percent' argument is hardcoded to 10, so you don't need it. Let's keep this stuff simple, *especially* if it's for stable too ... > + if (check_add_overflow(x, a, &e)) { > + if (x > y - a) > + return false; seems simpler as "return x > y - a;" or so? johannes
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c index 4e9546e998b6..79aa29d61e6b 100644 --- a/net/mac80211/mesh_hwmp.c +++ b/net/mac80211/mesh_hwmp.c @@ -367,6 +367,26 @@ u32 airtime_link_metric_get(struct ieee80211_local *local, return (u32)result; } +static inline bool is_metric_better(u32 x, u32 y, u32 percent) +{ + u32 a, e; + + if (x >= y) + return false; + + a = mult_frac(x, percent, 100); + + if (check_add_overflow(x, a, &e)) { + if (x > y - a) + return false; + } else { + if (e > y) + return false; + } + + return true; +} + /** * hwmp_route_info_get - Update routing info to originator and transmitter * @@ -458,8 +478,8 @@ static u32 hwmp_route_info_get(struct ieee80211_sub_if_data *sdata, (mpath->sn == orig_sn && (rcu_access_pointer(mpath->next_hop) != sta ? - mult_frac(new_metric, 10, 9) : - new_metric) >= mpath->metric)) { + !is_metric_better(new_metric, mpath->metric, 10) : + new_metric >= mpath->metric))) { process = false; fresh_info = false; } @@ -533,8 +553,8 @@ static u32 hwmp_route_info_get(struct ieee80211_sub_if_data *sdata, if ((mpath->flags & MESH_PATH_FIXED) || ((mpath->flags & MESH_PATH_ACTIVE) && ((rcu_access_pointer(mpath->next_hop) != sta ? - mult_frac(last_hop_metric, 10, 9) : - last_hop_metric) > mpath->metric))) + !is_metric_better(last_hop_metric, mpath->metric, 10) : + last_hop_metric > mpath->metric)))) fresh_info = false; } else { mpath = mesh_path_add(sdata, ta);
Since the new_metric and last_hop_metric variables can reach the MAX_METRIC(0xffffffff) value, an integer overflow may occur when multiplying them by 10/9. It can lead to incorrect behavior. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: a8d418d9ac25 ("mac80211: mesh: only switch path when new metric is at least 10% better") Cc: stable@vger.kernel.org Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru> --- v2: - Remove 64-bit arithmetic according to https://lore.kernel.org/all/a6bd38c58f2f7685eac53844f2336432503c328e.camel@sipsolutions.net/ - Replace multiplication by 10/9 with a function that compares metrics by adding 10% without integer overflow v3: - Fix a typo (persent->percent) net/mac80211/mesh_hwmp.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-)