In 'ovs_meter_execute()', add warn on multiplication of 'delta_ms' and 'band->rate'. The value of 'delta_ms' depends on 'meter->max_delta_t' which in turn calculates based on user defined burst_size it can leads to integer overflow. Compile tested only.
Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Dmitry Kandybka <[email protected]> --- Not tested. I am sending this as an RFC because I am not able to reproduce the issue in-house and I am not found any proof in the code that 'meter->max_delta_t' can't have a value large enough to overflow. net/openvswitch/meter.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/openvswitch/meter.c b/net/openvswitch/meter.c index cc08e0403909..4811af859405 100644 --- a/net/openvswitch/meter.c +++ b/net/openvswitch/meter.c @@ -646,11 +646,14 @@ bool ovs_meter_execute(struct datapath *dp, struct sk_buff *skb, /* Update all bands and find the one hit with the highest rate. */ for (i = 0; i < meter->n_bands; ++i) { long long int max_bucket_size; + u32 result; band = &meter->bands[i]; max_bucket_size = band->burst_size * 1000LL; - band->bucket += delta_ms * band->rate; + WARN_ON(check_mul_overflow(delta_ms, band->rate, &result)); + band->bucket += result; + if (band->bucket > max_bucket_size) band->bucket = max_bucket_size; -- 2.39.5 (Apple Git-154) _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
