[kernel] r13747 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Jun 9 15:07:58 UTC 2009
Author: dannf
Date: Tue Jun 9 15:07:56 2009
New Revision: 13747
Log:
r8169: fix crash when large packets are received (CVE-2009-1389)
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
Modified:
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/16
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Tue Jun 9 06:28:04 2009 (r13746)
+++ dists/lenny/linux-2.6/debian/changelog Tue Jun 9 15:07:56 2009 (r13747)
@@ -26,6 +26,7 @@
(CVE-2009-1914)
* splice: fix deadlock in ocfs2 (CVE-2009-1961)
* e1000: add missing length check to e1000 receive routine (CVE-2009-1385)
+ * r8169: fix crash when large packets are received (CVE-2009-1389)
[ Martin Michlmayr ]
* cdc-acm: Add quirk for MTK II GPS, such as Qstarz BT-Q1000X (closes:
Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch Tue Jun 9 15:07:56 2009 (r13747)
@@ -0,0 +1,81 @@
+commit fdd7b4c3302c93f6833e338903ea77245eb510b4
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Tue Jun 9 04:01:02 2009 -0700
+
+ r8169: fix crash when large packets are received
+
+ Michael Tokarev reported receiving a large packet could crash
+ a machine with RTL8169 NIC.
+ ( original thread at http://lkml.org/lkml/2009/6/8/192 )
+
+ Problem is this driver tells that NIC frames up to 16383 bytes
+ can be received but provides skb to rx ring allocated with
+ smaller sizes (1536 bytes in case standard 1500 bytes MTU is used)
+
+ When a frame larger than what was allocated by driver is received,
+ dma transfert can occurs past the end of buffer and corrupt
+ kernel memory.
+
+ Fix is to tell to NIC what is the maximum size a frame can be.
+
+ This bug is very old, (before git introduction, linux-2.6.10), and
+ should be backported to stable versions.
+
+ Reported-by: Michael Tokarev <mjt at tls.msk.ru>
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Tested-by: Michael Tokarev <mjt at tls.msk.ru>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/r8169.c linux-source-2.6.26/drivers/net/r8169.c
+--- linux-source-2.6.26.orig/drivers/net/r8169.c 2009-05-11 12:06:52.000000000 -0600
++++ linux-source-2.6.26/drivers/net/r8169.c 2009-06-09 08:44:34.000000000 -0600
+@@ -81,7 +81,6 @@ static const int multicast_filter_limit
+ #define RX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
+ #define TX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
+ #define EarlyTxThld 0x3F /* 0x3F means NO early transmit */
+-#define RxPacketMaxSize 0x3FE8 /* 16K - 1 - ETH_HLEN - VLAN - CRC... */
+ #define SafeMtu 0x1c20 /* ... actually life sucks beyond ~7k */
+ #define InterFrameGap 0x03 /* 3 means InterFrameGap = the shortest one */
+
+@@ -1982,10 +1981,10 @@ static u16 rtl_rw_cpluscmd(void __iomem
+ return cmd;
+ }
+
+-static void rtl_set_rx_max_size(void __iomem *ioaddr)
++static void rtl_set_rx_max_size(void __iomem *ioaddr, unsigned int rx_buf_sz)
+ {
+ /* Low hurts. Let's disable the filtering. */
+- RTL_W16(RxMaxSize, 16383);
++ RTL_W16(RxMaxSize, rx_buf_sz);
+ }
+
+ static void rtl8169_set_magic_reg(void __iomem *ioaddr, unsigned mac_version)
+@@ -2032,7 +2031,7 @@ static void rtl_hw_start_8169(struct net
+
+ RTL_W8(EarlyTxThres, EarlyTxThld);
+
+- rtl_set_rx_max_size(ioaddr);
++ rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+
+ if ((tp->mac_version == RTL_GIGA_MAC_VER_01) ||
+ (tp->mac_version == RTL_GIGA_MAC_VER_02) ||
+@@ -2096,7 +2095,7 @@ static void rtl_hw_start_8168(struct net
+
+ RTL_W8(EarlyTxThres, EarlyTxThld);
+
+- rtl_set_rx_max_size(ioaddr);
++ rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+
+ rtl_set_rx_tx_config_registers(tp);
+
+@@ -2150,7 +2149,7 @@ static void rtl_hw_start_8101(struct net
+
+ RTL_W8(EarlyTxThres, EarlyTxThld);
+
+- rtl_set_rx_max_size(ioaddr);
++ rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+
+ tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW;
+
Modified: dists/lenny/linux-2.6/debian/patches/series/16
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/16 Tue Jun 9 06:28:04 2009 (r13746)
+++ dists/lenny/linux-2.6/debian/patches/series/16 Tue Jun 9 15:07:56 2009 (r13747)
@@ -15,3 +15,4 @@
+ bugfix/sparc/sparc64-Fix-crash-with-proc-iomem.patch
+ bugfix/all/ocfs2-splice-deadlock.patch
+ bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch
++ bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
More information about the Kernel-svn-changes
mailing list