[kernel] r13747 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Tue Jun 9 15:07:58 UTC 2009 

Author: dannf
Date: Tue Jun  9 15:07:56 2009
New Revision: 13747

Log:
r8169: fix crash when large packets are received (CVE-2009-1389)

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/16

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Tue Jun  9 06:28:04 2009	(r13746)
+++ dists/lenny/linux-2.6/debian/changelog	Tue Jun  9 15:07:56 2009	(r13747)
@@ -26,6 +26,7 @@
     (CVE-2009-1914)
   * splice: fix deadlock in ocfs2 (CVE-2009-1961)
   * e1000: add missing length check to e1000 receive routine (CVE-2009-1385)
+  * r8169: fix crash when large packets are received (CVE-2009-1389)
 
   [ Martin Michlmayr ]
   * cdc-acm: Add quirk for MTK II GPS, such as Qstarz BT-Q1000X (closes:

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch	Tue Jun  9 15:07:56 2009	(r13747)
@@ -0,0 +1,81 @@
+commit fdd7b4c3302c93f6833e338903ea77245eb510b4
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date:   Tue Jun 9 04:01:02 2009 -0700
+
+    r8169: fix crash when large packets are received
+    
+    Michael Tokarev reported receiving a large packet could crash
+    a machine with RTL8169 NIC.
+    ( original thread at http://lkml.org/lkml/2009/6/8/192 )
+    
+    Problem is this driver tells that NIC frames up to 16383 bytes
+    can be received but provides skb to rx ring allocated with
+    smaller sizes (1536 bytes in case standard 1500 bytes MTU is used)
+    
+    When a frame larger than what was allocated by driver is received,
+    dma transfert can occurs past the end of buffer and corrupt
+    kernel memory.
+    
+    Fix is to tell to NIC what is the maximum size a frame can be.
+    
+    This bug is very old, (before git introduction, linux-2.6.10), and
+    should be backported to stable versions.
+    
+    Reported-by: Michael Tokarev <mjt at tls.msk.ru>
+    Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+    Tested-by: Michael Tokarev <mjt at tls.msk.ru>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/r8169.c linux-source-2.6.26/drivers/net/r8169.c
+--- linux-source-2.6.26.orig/drivers/net/r8169.c	2009-05-11 12:06:52.000000000 -0600
++++ linux-source-2.6.26/drivers/net/r8169.c	2009-06-09 08:44:34.000000000 -0600
+@@ -81,7 +81,6 @@ static const int multicast_filter_limit 
+ #define RX_DMA_BURST	6	/* Maximum PCI burst, '6' is 1024 */
+ #define TX_DMA_BURST	6	/* Maximum PCI burst, '6' is 1024 */
+ #define EarlyTxThld	0x3F	/* 0x3F means NO early transmit */
+-#define RxPacketMaxSize	0x3FE8	/* 16K - 1 - ETH_HLEN - VLAN - CRC... */
+ #define SafeMtu		0x1c20	/* ... actually life sucks beyond ~7k */
+ #define InterFrameGap	0x03	/* 3 means InterFrameGap = the shortest one */
+ 
+@@ -1982,10 +1981,10 @@ static u16 rtl_rw_cpluscmd(void __iomem 
+ 	return cmd;
+ }
+ 
+-static void rtl_set_rx_max_size(void __iomem *ioaddr)
++static void rtl_set_rx_max_size(void __iomem *ioaddr, unsigned int rx_buf_sz)
+ {
+ 	/* Low hurts. Let's disable the filtering. */
+-	RTL_W16(RxMaxSize, 16383);
++	RTL_W16(RxMaxSize, rx_buf_sz);
+ }
+ 
+ static void rtl8169_set_magic_reg(void __iomem *ioaddr, unsigned mac_version)
+@@ -2032,7 +2031,7 @@ static void rtl_hw_start_8169(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	if ((tp->mac_version == RTL_GIGA_MAC_VER_01) ||
+ 	    (tp->mac_version == RTL_GIGA_MAC_VER_02) ||
+@@ -2096,7 +2095,7 @@ static void rtl_hw_start_8168(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	rtl_set_rx_tx_config_registers(tp);
+ 
+@@ -2150,7 +2149,7 @@ static void rtl_hw_start_8101(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW;
+ 

Modified: dists/lenny/linux-2.6/debian/patches/series/16
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/16	Tue Jun  9 06:28:04 2009	(r13746)
+++ dists/lenny/linux-2.6/debian/patches/series/16	Tue Jun  9 15:07:56 2009	(r13747)
@@ -15,3 +15,4 @@
 + bugfix/sparc/sparc64-Fix-crash-with-proc-iomem.patch
 + bugfix/all/ocfs2-splice-deadlock.patch
 + bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch
++ bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch

More information about the Kernel-svn-changes mailing list