https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284073
--- Comment #15 from Zhenlei Huang <z...@freebsd.org> ---
Update: After carefully reading the disassembled code, I can confirm the fault
address is RIP (0xffffffff80b4dee7).
For `sysctl_handle_string()`, `req` is the last arg which is passed via
register %rcx.
```
ffffffff80b4de2e: 48 89 cb movq %rcx, %rbx
```
It was saved to callee-saved register %rbx, and the following flow does not
touch it. It was `0000000500000005` when passed in. Then indirect memory access
```
ffffffff80b4dee7: 4c 8b 63 10 movq 0x10(%rbx), %r12
```
will panic.
Part of disassembled code of if_bnxt.ko,
```
$ objdump --disassemble-symbols=bnxt_dcb_list_app -r /boot/kernel/if_bnxt.ko
...
1a5cc: 53 pushq %rbx
1a5cd: 48 81 ec 28 02 00 00 subq $0x228, %rsp # imm =
0x228, reserve app[128] and other local vars.
1a5d4: 48 89 cb movq %rcx, %rbx # save req
...
1a622: 48 89 5d c8 movq %rbx, -0x38(%rbp)
...
1a6f0: ba 00 10 00 00 movl $0x1000, %edx # imm =
0x1000
1a6f5: 4c 89 f7 movq %r14, %rdi
1a6f8: 4c 89 fe movq %r15, %rsi
1a6fb: 48 8b 4d c8 movq -0x38(%rbp), %rcx # previously
saved req
1a6ff: e8 00 00 00 00 callq 0x1a704
<bnxt_dcb_list_app+0x144>
000000000001a700: R_X86_64_PLT32
sysctl_handle_string-0x4
```
If `bnxt_dcb_ieee_listapp()` OOB write the on stack variable app[128], then it
make sense that we get `%rbx == 0000000500000005`. We can add asserting for
that.
--
You are receiving this mail because:
You are the assignee for the bug.
