Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp2336729ybk; Sun, 17 May 2020 18:08:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwwUMLrwM6PrC95syekTM49yRfY0IGzgTc3zb68Dw77ueXG/tyCaMMuswVPT2uHbaN5Hxga X-Received: by 2002:a17:906:7717:: with SMTP id q23mr13354341ejm.38.1589764131611; Sun, 17 May 2020 18:08:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589764131; cv=none; d=google.com; s=arc-20160816; b=fBzjgZZDDI/k5M0WsDkptS2QPZN2nLaVm4vQFd0MtwVZSG8CmGnIHAq2jOpZhj/mbZ LHtkpozgacBmpW4NE9btM9uAm6YPTCRv8PRQ2NhjJ7yKMvpFl8yXHi5svFLKIDH0y7Up uSaSeLdAqO1dUCf71CaOlCJYS4DAPqsQgen3LXQHn3gMyyrobjN4ldpemLtCGP6j14vl F37ZBZfZSbNsZjj08S0BvnQ0s3PxFeWlguBkfU9TxPJFB03CfOqqtmT5R8lCuBU3IWqh vBsjFD3vx/QiCrdy3+riX6SWLuAVmcsDRlQnXOxJih64XnJO5cX30DYIIN7A/00AP9EC ELpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=Mm/K8bPUNP+jxYAQx/mln4BRDTBBAprFrmCHg/lKeW0=; b=mJLtKMfN51fTMwgnnfeizbKOzX+OLEhjuHQ7vaUc/GkvOVmzdfFcS0fTcfipYK2cA/ BkSMnWoBGMOVm3ivzqrS87Xi1yFFnnSI2EcVc+NrVcKJVVnRKDESvb90vxkL13pxt4+d tcP8q8JRtQ8zbCuan9LC6cIcEPJTzpTpNUS26/PXjxlVBc88Mt2X70kwUCtqSkw6VTmJ Kh8offh84G1oI82UEHIVcfT79vgWUBJxHDy0ZAW++UOhqJXHWXiGFsTXwerb0PVYz/q8 MtgHx6qTuensUgu5mrKnfVnakw5D63dtYh/hFIhesPtHKEm8wuRbteZCmC+0+wEyjK2b iJxQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ozlabs.org header.s=201707 header.b=ATYdjM7a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ozlabs.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u6si5320858edx.460.2020.05.17.18.08.28; Sun, 17 May 2020 18:08:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ozlabs.org header.s=201707 header.b=ATYdjM7a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ozlabs.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726720AbgERBHD (ORCPT + 99 others); Sun, 17 May 2020 21:07:03 -0400 Received: from ozlabs.org ([203.11.71.1]:43601 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726665AbgERBHD (ORCPT ); Sun, 17 May 2020 21:07:03 -0400 Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.ozlabs.org (Postfix) with ESMTPSA id 49QLSz6PcGz9sPK; Mon, 18 May 2020 11:06:59 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ozlabs.org; s=201707; t=1589764021; bh=Nc6dohBCnRNOrZ1lpqEXvYZ9kCm+r1xCGET1JAWwSOA=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=ATYdjM7aKjYw0Scr9OWyzF/aZZ6lDvKze/viQikcdCpwIe8hKNY2ut2+XXAn3T07n HWaQxXIqdUz3APbhNerv+td8xbQ18TKEXB5rQCU6ZYR+zlkg4Zw1FLV6KwfBDfCfMY jP9WaK3oCeZG7sDHdTHQDFcW0U/9etV5qwwkdncMBNvh4ulAAyOvTdQwszrqjA+AzB Wy7JC4hR047sIOXwSP6txjM/wUDz6xM4kt1p8B1KfKXW26Bavj4Axgv5GZ4Kn++zHv wGXDqhbJOdJ7vedfeIqBzKCA63Dh2CXWa5ptCdxqap3iyRSjYmSaGqEtQFAfE53FLO WOfa2mOZUhn2Q== Message-ID: <43d5717e7157fd300fd5bf893e517bbdf65c36f4.camel@ozlabs.org> Subject: Re: [PATCH] net: bmac: Fix stack corruption panic in bmac_probe() From: Jeremy Kerr To: Finn Thain , "David S. Miller" Cc: Paul Mackerras , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Stan Johnson , Benjamin Herrenschmidt Date: Mon, 18 May 2020 09:06:59 +0800 In-Reply-To: <769e9041942802d0e9ff272c12ee359a04b84a90.1589761211.git.fthain@telegraphics.com.au> References: <769e9041942802d0e9ff272c12ee359a04b84a90.1589761211.git.fthain@telegraphics.com.au> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Finn, > This fixes an old bug recently revealed by CONFIG_STACKPROTECTOR. Good catch. I'm not sure about the fix though. That variable ('addr') should be a ethernet hardware address; I'm surprised we're accessing past the 6th byte. The culprit seems to be this, where 'ea' is the address buffer: static void bmac_get_station_address(struct net_device *dev, unsigned char *ea) { int i; unsigned short data; for (i = 0; i < 6; i++) { reset_and_select_srom(dev); data = read_srom(dev, i + EnetAddressOffset/2, SROMAddressBits); ea[2*i] = bitrev8(data & 0x0ff); ea[2*i+1] = bitrev8((data >> 8) & 0x0ff); } } - where it looks like the condition on that for-loop is wrong; we're reading two bytes at a time there. Can you try the attached patch? Ben/Paul - any thoughts? Cheers, Jeremy ----- From 141b20bcbdb3ad7c166b83b4ea61f3521d0a0679 Mon Sep 17 00:00:00 2001 From: Jeremy Kerr Date: Mon, 18 May 2020 08:54:25 +0800 Subject: [PATCH] net: bmac: Fix read of MAC address from ROM In bmac_get_station_address, We're reading two bytes at a time from ROM, but we do that six times, resulting in 12 bytes of read & writes. This means we will write off the end of the six-byte destination buffer. This change fixes the for-loop to only read/write six bytes. Based on a proposed fix from Finn Thain . Signed-off-by: Jeremy Kerr Reported-by: Stan Johnson Reported-by: Finn Thain --- drivers/net/ethernet/apple/bmac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/apple/bmac.c b/drivers/net/ethernet/apple/bmac.c index a58185b1d8bf..3e3711b60d01 100644 --- a/drivers/net/ethernet/apple/bmac.c +++ b/drivers/net/ethernet/apple/bmac.c @@ -1182,7 +1182,7 @@ bmac_get_station_address(struct net_device *dev, unsigned char *ea) int i; unsigned short data; - for (i = 0; i < 6; i++) + for (i = 0; i < 3; i++) { reset_and_select_srom(dev); data = read_srom(dev, i + EnetAddressOffset/2, SROMAddressBits); -- 2.17.1