[kernel] r13745 - in dists/lenny/linux-2.6: . debian debian/patches/bugfix/all debian/patches/series

Dann Frazier dannf at alioth.debian.org
Tue Jun 9 06:26:49 UTC 2009 

Author: dannf
Date: Tue Jun  9 06:26:39 2009
New Revision: 13745

Log:
e1000: add missing length check to e1000 receive routine (CVE-2009-1385)

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch
      - copied unchanged from r13742, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch
Modified:
   dists/lenny/linux-2.6/   (props changed)
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/16

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Tue Jun  9 06:22:38 2009	(r13744)
+++ dists/lenny/linux-2.6/debian/changelog	Tue Jun  9 06:26:39 2009	(r13745)
@@ -45,6 +45,7 @@
   * [sparc64] Fix crash when reading /proc/iomem w/ heap memory checking
     (CVE-2009-1914)
   * splice: fix deadlock in ocfs2 (CVE-2009-1961)
+  * e1000: add missing length check to e1000 receive routine (CVE-2009-1385)
   
   [ Ben Hutchings ]
   * sata_nv: avoid link reset on controllers where it's broken

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch (from r13742, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch	Tue Jun  9 06:26:39 2009	(r13745, copy of r13742, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch)
@@ -0,0 +1,46 @@
+commit ea30e11970a96cfe5e32c03a29332554573b4a10
+Author: Neil Horman <nhorman at tuxdriver.com>
+Date:   Tue Jun 2 01:29:58 2009 -0700
+
+    e1000: add missing length check to e1000 receive routine
+    
+    	Patch to fix bad length checking in e1000.  E1000 by default does two
+    things:
+    
+    1) Spans rx descriptors for packets that don't fit into 1 skb on recieve
+    2) Strips the crc from a frame by subtracting 4 bytes from the length prior to
+    doing an skb_put
+    
+    Since the e1000 driver isn't written to support receiving packets that span
+    multiple rx buffers, it checks the End of Packet bit of every frame, and
+    discards it if its not set.  This places us in a situation where, if we have a
+    spanning packet, the first part is discarded, but the second part is not (since
+    it is the end of packet, and it passes the EOP bit test).  If the second part of
+    the frame is small (4 bytes or less), we subtract 4 from it to remove its crc,
+    underflow the length, and wind up in skb_over_panic, when we try to skb_put a
+    huge number of bytes into the skb.  This amounts to a remote DOS attack through
+    careful selection of frame size in relation to interface MTU.  The fix for this
+    is already in the e1000e driver, as well as the e1000 sourceforge driver, but no
+    one ever pushed it to e1000.  This is lifted straight from e1000e, and prevents
+    small frames from causing the underflow described above
+    
+    Signed-off-by: Neil Horman <nhorman at tuxdriver.com>
+    Tested-by: Andy Gospodarek <andy at greyhouse.net>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/drivers/net/e1000/e1000_main.c b/drivers/net/e1000/e1000_main.c
+index b1419e2..fffb006 100644
+--- a/drivers/net/e1000/e1000_main.c
++++ b/drivers/net/e1000/e1000_main.c
+@@ -4027,8 +4027,9 @@ static bool e1000_clean_rx_irq(struct e1000_adapter *adapter,
+ 		                 PCI_DMA_FROMDEVICE);
+ 
+ 		length = le16_to_cpu(rx_desc->length);
+-
+-		if (unlikely(!(status & E1000_RXD_STAT_EOP))) {
++		/* !EOP means multiple descriptors were used to store a single
++		 * packet, also make sure the frame isn't just CRC only */
++		if (unlikely(!(status & E1000_RXD_STAT_EOP) || (length <= 4))) {
+ 			/* All receives must fit into a single buffer */
+ 			E1000_DBG("%s: Receive packet consumed multiple"
+ 				  " buffers\n", netdev->name);

Modified: dists/lenny/linux-2.6/debian/patches/series/16
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/16	Tue Jun  9 06:22:38 2009	(r13744)
+++ dists/lenny/linux-2.6/debian/patches/series/16	Tue Jun  9 06:26:39 2009	(r13745)
@@ -14,3 +14,4 @@
 + bugfix/all/drivers-net-wireless-iwl4965-scan-cancel.patch
 + bugfix/sparc/sparc64-Fix-crash-with-proc-iomem.patch
 + bugfix/all/ocfs2-splice-deadlock.patch
++ bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch

More information about the Kernel-svn-changes mailing list