Re: [PATCH] net: bmac: Fix stack corruption panic in bmac_probe()

From: Jeremy Kerr
Date: Sun May 17 2020 - 21:07:04 EST

Next message: Tiezhu Yang: "Re: [PATCH] MIPS: Loongson: Add support for serial console"
Previous message: Lance Digby: "[PATCH v1 target] target: Add initiatorname to NON_EXISTENT_LUN error"
In reply to: Finn Thain: "[PATCH] net: bmac: Fix stack corruption panic in bmac_probe()"
Next in thread: Jeremy Kerr: "Re: [PATCH] net: bmac: Fix stack corruption panic in bmac_probe()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Finn,

> This fixes an old bug recently revealed by CONFIG_STACKPROTECTOR.

Good catch. I'm not sure about the fix though. That variable ('addr')
should be a ethernet hardware address; I'm surprised we're accessing
past the 6th byte. The culprit seems to be this, where 'ea' is the
address buffer:

static void
bmac_get_station_address(struct net_device *dev, unsigned char *ea)
{
int i;
unsigned short data;

for (i = 0; i < 6; i++)
{
reset_and_select_srom(dev);
data = read_srom(dev, i + EnetAddressOffset/2, SROMAddressBits);
ea[2*i] = bitrev8(data & 0x0ff);
ea[2*i+1] = bitrev8((data >> 8) & 0x0ff);
}
}

- where it looks like the condition on that for-loop is wrong; we're
reading two bytes at a time there.

Can you try the attached patch?

Ben/Paul - any thoughts?

Cheers,

Jeremy

-----

Next message: Tiezhu Yang: "Re: [PATCH] MIPS: Loongson: Add support for serial console"
Previous message: Lance Digby: "[PATCH v1 target] target: Add initiatorname to NON_EXISTENT_LUN error"
In reply to: Finn Thain: "[PATCH] net: bmac: Fix stack corruption panic in bmac_probe()"
Next in thread: Jeremy Kerr: "Re: [PATCH] net: bmac: Fix stack corruption panic in bmac_probe()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]