[Yaffs-archive] YAFFS stack corruption bug

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Nick Bane
Date:  
To: yaffs list, Charles Manning
Subject: [Yaffs-archive] YAFFS stack corruption bug
Charles

I have found the stack corruption bug at very long last.

The problem lies in yaffs_CheckECCOnTags (using an ecc value that is too big
created by yaffs_CalcTagsECC)
unsigned char *b=((yaffs_tagsUnion *)tags)->asBytes points to a
datastructure that is 8 bytes long.
ecc is obtained and if non-zero is decremented and b[ecc/8]^=(1<<(ecc &7))
This is fine for all values of ecc>=0 and <=7*8 else bounds are broken.
Adding a printk for ecc just before this shows values for ecc up to 4018.
This fills in values in a datastructure above the local variable pointed to
by yaffs_Tags *tags which mashes the saved register on the stack that just
happened to point to a yaffs_Object * whose dereferenced in->MyObj was NULL
which ... you get the picture.

Changing the value form oxff to 0x7f in yaffs_CalcTagsECC does not help.Most
of the ecc values are greater than 63.

[Incidentally, I trapped this by adding a local char array delaration to
functions preceeding the kernel panic. The asrrays were zeroed and
referenced by a file global static pointer. A function to check the pointed
to memory area for change was polled within deeper routines passing a string
reference to the current location of calling to narrow down the problem. The
corruption once detected triggered a printk of the location reference and
caused a deliberate *(char *)0=1 to panic the kernel. The terminal log was
then examined as a trace. It worked rather well.]

Time for a beer.

Nick

-------------------------------------------
Nick Bane
Cambridge, UK.
+44(0)1954 71927