From: Felix Fietkau <nbd@openwrt.org>
To: Bob Copeland <me@bobcopeland.com>
Cc: linville@tuxdriver.com, linux-wireless@vger.kernel.org,
linux-kernel@vger.kernel.org, rathamahata@gmail.com,
ognjen.maric@gmail.com, rjw@sisk.pl, stable@kernel.org
Subject: Re: [PATCH] mac80211: fix minstrel single-rate memory corruption
Date: Fri, 05 Jun 2009 16:04:40 +0200 [thread overview]
Message-ID: <4A2925F8.6060602@openwrt.org> (raw)
In-Reply-To: <1244204510-14007-1-git-send-email-me@bobcopeland.com>
Bob Copeland wrote:
> The minstrel rate controller periodically looks up rate indexes in
> a sampling table. When accessing a specific row and column, minstrel
> correctly does a bounds check which, on the surface, appears to handle
> the case where mi->n_rates < 2. However, mi->sample_idx is actually
> defined as an unsigned, so the right hand side is taken to be a huge
> positive number when negative, and the check will always fail.
>
> Consequently, the RC will overrun the array and cause random memory
> corruption when communicating with a peer that has only a single rate.
> The max value of mi->sample_idx is around 25 so casting to int should
> have no ill effects.
>
> Without the change, uptime is a few minutes under load with an AP
> that has a single hard-coded rate, and both the AP and STA could
> potentially crash. With the change, both lasted 12 hours with a
> steady load.
>
> Thanks to Ognjen Maric for providing the single-rate clue so I could
> reproduce this.
>
> This fixes http://bugzilla.kernel.org/show_bug.cgi?id=12490 on the
> regression list (also http://bugzilla.kernel.org/show_bug.cgi?id=13000).
>
> Cc: stable@kernel.org
> Reported-by: Sergey S. Kostyliov <rathamahata@gmail.com>
> Reported-by: Ognjen Maric <ognjen.maric@gmail.com>
> Signed-off-by: Bob Copeland <me@bobcopeland.com>
> ---
>
> John & Felix, the patch itself may be too subtle so feel free to do it a
> different way. However this is as minimal as it gets so I hope it can
> be applied quickly to stable, and mainline if not too late.
How about changing the type of sample_idx to signed instead of casting
it? It's just a cosmetic thing, so even if you leave at this you get my
Acked-by: Felix Fietkau <nbd@openwrt.org>
- Felix
next prev parent reply other threads:[~2009-06-05 14:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-05 12:21 [PATCH] mac80211: fix minstrel single-rate memory corruption Bob Copeland
2009-06-05 14:04 ` Felix Fietkau [this message]
2009-06-05 14:21 ` Bob Copeland
2009-06-07 23:06 ` Thiemo Nagel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A2925F8.6060602@openwrt.org \
--to=nbd@openwrt.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=me@bobcopeland.com \
--cc=ognjen.maric@gmail.com \
--cc=rathamahata@gmail.com \
--cc=rjw@sisk.pl \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.