2020-05-18 00:28:14

by Finn Thain

[permalink] [raw]
Subject: [PATCH] net: bmac: Fix stack corruption panic in bmac_probe()

This fixes an old bug recently revealed by CONFIG_STACKPROTECTOR.

[ 25.707616] scsi host0: MESH
[ 28.488852] eth0: BMAC at 00:05:02:07:5a:a6
[ 28.488859]
[ 28.505397] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: bmac_probe+0x540/0x618
[ 28.535152] CPU: 0 PID: 1 Comm: swapper Not tainted 5.6.13 #1
[ 28.552399] Call Trace:
[ 28.559754] [e101dc88] [c0031fe4] panic+0x138/0x314 (unreliable)
[ 28.577764] [e101dce8] [c0031c2c] print_tainted+0x0/0xcc
[ 28.593711] [e101dcf8] [c03a6bf8] bmac_probe+0x540/0x618
[ 28.609667] [e101dd38] [c035e8a8] macio_device_probe+0x60/0x114
[ 28.627457] [e101dd58] [c033ec1c] really_probe+0x100/0x3a0
[ 28.643908] [e101dd88] [c033f098] driver_probe_device+0x68/0x410
[ 28.661948] [e101dda8] [c033f708] device_driver_attach+0xb4/0xe4
[ 28.679986] [e101ddc8] [c033f7a0] __driver_attach+0x68/0x10c
[ 28.696978] [e101dde8] [c033c8c0] bus_for_each_dev+0x88/0xf0
[ 28.713973] [e101de18] [c033ded8] bus_add_driver+0x1c0/0x228
[ 28.730966] [e101de48] [c033ff48] driver_register+0x88/0x15c
[ 28.747966] [e101de68] [c00044a0] do_one_initcall+0x7c/0x218
[ 28.764976] [e101ded8] [c0640480] kernel_init_freeable+0x168/0x230
[ 28.783512] [e101df18] [c000486c] kernel_init+0x14/0x104
[ 28.799473] [e101df38] [c0012234] ret_from_kernel_thread+0x14/0x1c
[ 28.818031] Rebooting in 180 seconds..

The bmac_probe() stack frame was apparently corrupted by an array bounds
overrun in bmac_get_station_address().

This patch is the simplest way to resolve the issue given possible
side effects (?) from hardware accesses in bmac_get_station_address().

Cc: Paul Mackerras <[email protected]>
Cc: Jeremy Kerr <[email protected]>
Fixes: 1a2509c946bf ("[POWERPC] netdevices: Constify & voidify get_property()")
Reported-and-tested-by: Stan Johnson <[email protected]>
Signed-off-by: Finn Thain <[email protected]>
---
This choice of 'Fixes' tag is (of course) debatable. Other possible
choices might be 1da177e4c3f4 ("Linux-2.6.12-rc2"),
c3ff2a5193fa ("powerpc/32: add stack protector support") and so on.
---
drivers/net/ethernet/apple/bmac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/apple/bmac.c b/drivers/net/ethernet/apple/bmac.c
index a58185b1d8bf..4d9deed3409c 100644
--- a/drivers/net/ethernet/apple/bmac.c
+++ b/drivers/net/ethernet/apple/bmac.c
@@ -1239,7 +1239,7 @@ static int bmac_probe(struct macio_dev *mdev, const struct of_device_id *match)
int j, rev, ret;
struct bmac_data *bp;
const unsigned char *prop_addr;
- unsigned char addr[6];
+ unsigned char addr[12];
struct net_device *dev;
int is_bmac_plus = ((int)match->data) != 0;

--
2.26.2


2020-05-18 01:08:51

by Jeremy Kerr

[permalink] [raw]
Subject: Re: [PATCH] net: bmac: Fix stack corruption panic in bmac_probe()

Hi Finn,

> This fixes an old bug recently revealed by CONFIG_STACKPROTECTOR.

Good catch. I'm not sure about the fix though. That variable ('addr')
should be a ethernet hardware address; I'm surprised we're accessing
past the 6th byte. The culprit seems to be this, where 'ea' is the
address buffer:

static void
bmac_get_station_address(struct net_device *dev, unsigned char *ea)
{
int i;
unsigned short data;

for (i = 0; i < 6; i++)
{
reset_and_select_srom(dev);
data = read_srom(dev, i + EnetAddressOffset/2, SROMAddressBits);
ea[2*i] = bitrev8(data & 0x0ff);
ea[2*i+1] = bitrev8((data >> 8) & 0x0ff);
}
}

- where it looks like the condition on that for-loop is wrong; we're
reading two bytes at a time there.

Can you try the attached patch?

Ben/Paul - any thoughts?

Cheers,


Jeremy

-----

From 141b20bcbdb3ad7c166b83b4ea61f3521d0a0679 Mon Sep 17 00:00:00 2001
From: Jeremy Kerr <[email protected]>
Date: Mon, 18 May 2020 08:54:25 +0800
Subject: [PATCH] net: bmac: Fix read of MAC address from ROM

In bmac_get_station_address, We're reading two bytes at a time from ROM,
but we do that six times, resulting in 12 bytes of read & writes. This
means we will write off the end of the six-byte destination buffer.

This change fixes the for-loop to only read/write six bytes.

Based on a proposed fix from Finn Thain <[email protected]>.

Signed-off-by: Jeremy Kerr <[email protected]>
Reported-by: Stan Johnson <[email protected]>
Reported-by: Finn Thain <[email protected]>
---
drivers/net/ethernet/apple/bmac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/apple/bmac.c b/drivers/net/ethernet/apple/bmac.c
index a58185b1d8bf..3e3711b60d01 100644
--- a/drivers/net/ethernet/apple/bmac.c
+++ b/drivers/net/ethernet/apple/bmac.c
@@ -1182,7 +1182,7 @@ bmac_get_station_address(struct net_device *dev, unsigned char *ea)
int i;
unsigned short data;

- for (i = 0; i < 6; i++)
+ for (i = 0; i < 3; i++)
{
reset_and_select_srom(dev);
data = read_srom(dev, i + EnetAddressOffset/2, SROMAddressBits);
--
2.17.1



2020-05-19 01:01:18

by Jeremy Kerr

[permalink] [raw]
Subject: Re: [PATCH] net: bmac: Fix stack corruption panic in bmac_probe()

Hi Stan,

> The new kernel compiled and booted with no errors, with these
> STACKPROTECTOR options in .config (the last two revealed the bug):
>
> CONFIG_HAVE_STACKPROTECTOR=y
> CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
> CONFIG_STACKPROTECTOR=y
> CONFIG_STACKPROTECTOR_STRONG=y

Brilliant, thanks for testing. I'll send a standalone patch to netdev.

Cheers,


Jeremy

2020-05-19 09:22:01

by Benjamin Herrenschmidt

[permalink] [raw]
Subject: Re: [PATCH] net: bmac: Fix stack corruption panic in bmac_probe()

On Tue, 2020-05-19 at 08:59 +0800, Jeremy Kerr wrote:
> Hi Stan,
>
> > The new kernel compiled and booted with no errors, with these
> > STACKPROTECTOR options in .config (the last two revealed the bug):
> >
> > CONFIG_HAVE_STACKPROTECTOR=y
> > CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
> > CONFIG_STACKPROTECTOR=y
> > CONFIG_STACKPROTECTOR_STRONG=y
>
> Brilliant, thanks for testing. I'll send a standalone patch to
> netdev.

Nice catch :-) Lots of people used these machines for years without
noticing :-) .... Granted most people used newer generation stuff with
a gmac instead.

Cheers,
Ben.