[PATCH] drivers:atlx: Prevent integer overflow in statistics aggregation

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Rand Deeb <rand.sec96@gmail.com>
To: Chris Snook <chris.snook@gmail.com>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Christian Marangi <ansuelsmth@gmail.com>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: deeb.rand@confident.ru, lvc-project@linuxtesting.org,
	voskresenski.stanislav@confident.ru,
	Rand Deeb <rand.sec96@gmail.com>
Subject: [PATCH] drivers:atlx: Prevent integer overflow in statistics aggregation
Date: Mon,  7 Oct 2024 12:29:36 +0300	[thread overview]
Message-ID: <20241007092936.53445-1-rand.sec96@gmail.com> (raw)

The `atl1_inc_smb` function aggregates various RX and TX error counters
from the `stats_msg_block` structure. Currently, the arithmetic operations
are performed using `u32` types, which can lead to integer overflow when
summing large values. This overflow occurs before the result is cast to
a `u64`, potentially resulting in inaccurate network statistics.

To mitigate this risk, each operand in the summation is explicitly cast to
`u64` before performing the addition. This ensures that the arithmetic is
executed in 64-bit space, preventing overflow and maintaining accurate
statistics regardless of the system architecture.

Additionally, the aggregation of collision counters is also subject to
integer overflow. The operands in the summation for `collisions` are now
cast to `u64` to prevent overflow in this aggregation as well.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
---
 drivers/net/ethernet/atheros/atlx/atl1.c | 30 ++++++++++++------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/drivers/net/ethernet/atheros/atlx/atl1.c b/drivers/net/ethernet/atheros/atlx/atl1.c
index a9014d7932db..d61f46799713 100644
--- a/drivers/net/ethernet/atheros/atlx/atl1.c
+++ b/drivers/net/ethernet/atheros/atlx/atl1.c
@@ -1656,17 +1656,17 @@ static void atl1_inc_smb(struct atl1_adapter *adapter)
 	struct net_device *netdev = adapter->netdev;
 	struct stats_msg_block *smb = adapter->smb.smb;
 
-	u64 new_rx_errors = smb->rx_frag +
-			    smb->rx_fcs_err +
-			    smb->rx_len_err +
-			    smb->rx_sz_ov +
-			    smb->rx_rxf_ov +
-			    smb->rx_rrd_ov +
-			    smb->rx_align_err;
-	u64 new_tx_errors = smb->tx_late_col +
-			    smb->tx_abort_col +
-			    smb->tx_underrun +
-			    smb->tx_trunc;
+	u64 new_rx_errors = (u64)smb->rx_frag +
+			    (u64)smb->rx_fcs_err +
+			    (u64)smb->rx_len_err +
+			    (u64)smb->rx_sz_ov +
+			    (u64)smb->rx_rxf_ov +
+			    (u64)smb->rx_rrd_ov +
+			    (u64)smb->rx_align_err;
+	u64 new_tx_errors = (u64)smb->tx_late_col +
+			    (u64)smb->tx_abort_col +
+			    (u64)smb->tx_underrun +
+			    (u64)smb->tx_trunc;
 
 	/* Fill out the OS statistics structure */
 	adapter->soft_stats.rx_packets += smb->rx_ok + new_rx_errors;
@@ -1674,10 +1674,10 @@ static void atl1_inc_smb(struct atl1_adapter *adapter)
 	adapter->soft_stats.rx_bytes += smb->rx_byte_cnt;
 	adapter->soft_stats.tx_bytes += smb->tx_byte_cnt;
 	adapter->soft_stats.multicast += smb->rx_mcast;
-	adapter->soft_stats.collisions += smb->tx_1_col +
-					  smb->tx_2_col +
-					  smb->tx_late_col +
-					  smb->tx_abort_col;
+	adapter->soft_stats.collisions += (u64)smb->tx_1_col +
+					  (u64)smb->tx_2_col +
+					  (u64)smb->tx_late_col +
+					  (u64)smb->tx_abort_col;
 
 	/* Rx Errors */
 	adapter->soft_stats.rx_errors += new_rx_errors;
-- 
2.34.1

next             reply	other threads:[~2024-10-07  9:29 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-07  9:29 Rand Deeb [this message]
2024-10-08  0:27 ` [PATCH] drivers:atlx: Prevent integer overflow in statistics aggregation Jakub Kicinski
2024-10-08 16:59   ` Rand Deeb
2024-10-08 17:13     ` Keller, Jacob E

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a9014d7932d dfblob:d61f4679971 )
 OR (
bs:"[PATCH] drivers:atlx: Prevent integer overflow in statistics aggregation" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241007092936.53445-1-rand.sec96@gmail.com \
    --to=rand.sec96@gmail.com \
    --cc=ansuelsmth@gmail.com \
    --cc=chris.snook@gmail.com \
    --cc=davem@davemloft.net \
    --cc=deeb.rand@confident.ru \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lvc-project@linuxtesting.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=voskresenski.stanislav@confident.ru \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).