| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 May 2020 10:20:11 +1000
From: Finn Thain <fthain@...egraphics.com.au>
To: "David S. Miller" <davem@...emloft.net>
Cc: "Paul Mackerras" <paulus@...ba.org>, "Jeremy Kerr" <jk@...abs.org>,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] net: bmac: Fix stack corruption panic in bmac_probe()
This fixes an old bug recently revealed by CONFIG_STACKPROTECTOR.
[ 25.707616] scsi host0: MESH
[ 28.488852] eth0: BMAC at 00:05:02:07:5a:a6
[ 28.488859]
[ 28.505397] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: bmac_probe+0x540/0x618
[ 28.535152] CPU: 0 PID: 1 Comm: swapper Not tainted 5.6.13 #1
[ 28.552399] Call Trace:
[ 28.559754] [e101dc88] [c0031fe4] panic+0x138/0x314 (unreliable)
[ 28.577764] [e101dce8] [c0031c2c] print_tainted+0x0/0xcc
[ 28.593711] [e101dcf8] [c03a6bf8] bmac_probe+0x540/0x618
[ 28.609667] [e101dd38] [c035e8a8] macio_device_probe+0x60/0x114
[ 28.627457] [e101dd58] [c033ec1c] really_probe+0x100/0x3a0
[ 28.643908] [e101dd88] [c033f098] driver_probe_device+0x68/0x410
[ 28.661948] [e101dda8] [c033f708] device_driver_attach+0xb4/0xe4
[ 28.679986] [e101ddc8] [c033f7a0] __driver_attach+0x68/0x10c
[ 28.696978] [e101dde8] [c033c8c0] bus_for_each_dev+0x88/0xf0
[ 28.713973] [e101de18] [c033ded8] bus_add_driver+0x1c0/0x228
[ 28.730966] [e101de48] [c033ff48] driver_register+0x88/0x15c
[ 28.747966] [e101de68] [c00044a0] do_one_initcall+0x7c/0x218
[ 28.764976] [e101ded8] [c0640480] kernel_init_freeable+0x168/0x230
[ 28.783512] [e101df18] [c000486c] kernel_init+0x14/0x104
[ 28.799473] [e101df38] [c0012234] ret_from_kernel_thread+0x14/0x1c
[ 28.818031] Rebooting in 180 seconds..
The bmac_probe() stack frame was apparently corrupted by an array bounds
overrun in bmac_get_station_address().
This patch is the simplest way to resolve the issue given possible
side effects (?) from hardware accesses in bmac_get_station_address().
Cc: Paul Mackerras <paulus@...ba.org>
Cc: Jeremy Kerr <jk@...abs.org>
Fixes: 1a2509c946bf ("[POWERPC] netdevices: Constify & voidify get_property()")
Reported-and-tested-by: Stan Johnson <userm57@...oo.com>
Signed-off-by: Finn Thain <fthain@...egraphics.com.au>
---
This choice of 'Fixes' tag is (of course) debatable. Other possible
choices might be 1da177e4c3f4 ("Linux-2.6.12-rc2"),
c3ff2a5193fa ("powerpc/32: add stack protector support") and so on.
---
drivers/net/ethernet/apple/bmac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/apple/bmac.c b/drivers/net/ethernet/apple/bmac.c
index a58185b1d8bf..4d9deed3409c 100644
--- a/drivers/net/ethernet/apple/bmac.c
+++ b/drivers/net/ethernet/apple/bmac.c
@@ -1239,7 +1239,7 @@ static int bmac_probe(struct macio_dev *mdev, const struct of_device_id *match)
int j, rev, ret;
struct bmac_data *bp;
const unsigned char *prop_addr;
- unsigned char addr[6];
+ unsigned char addr[12];
struct net_device *dev;
int is_bmac_plus = ((int)match->data) != 0;
--
2.26.2
Powered by blists - more mailing lists