[kernel] r13809 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Jun 13 23:11:57 UTC 2009
Author: dannf
Date: Sat Jun 13 23:11:56 2009
New Revision: 13809
Log:
r8169: fix crash when large packets are received (CVE-2009-1389)
Added:
dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
- copied unchanged from r13805, dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
Modified:
dists/etch-security/linux-2.6.24/debian/changelog
dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2
Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog Sat Jun 13 23:02:36 2009 (r13808)
+++ dists/etch-security/linux-2.6.24/debian/changelog Sat Jun 13 23:11:56 2009 (r13809)
@@ -1,6 +1,7 @@
linux-2.6.24 (2.6.24-6~etchnhalf.8etch2) UNRELEASED; urgency=high
* e1000: add missing length check to e1000 receive routine (CVE-2009-1385)
+ * r8169: fix crash when large packets are received (CVE-2009-1389)
-- dann frazier <dannf at debian.org> Sat, 06 Jun 2009 09:49:28 -0600
Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch (from r13805, dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch Sat Jun 13 23:11:56 2009 (r13809, copy of r13805, dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch)
@@ -0,0 +1,81 @@
+commit fdd7b4c3302c93f6833e338903ea77245eb510b4
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Tue Jun 9 04:01:02 2009 -0700
+
+ r8169: fix crash when large packets are received
+
+ Michael Tokarev reported receiving a large packet could crash
+ a machine with RTL8169 NIC.
+ ( original thread at http://lkml.org/lkml/2009/6/8/192 )
+
+ Problem is this driver tells that NIC frames up to 16383 bytes
+ can be received but provides skb to rx ring allocated with
+ smaller sizes (1536 bytes in case standard 1500 bytes MTU is used)
+
+ When a frame larger than what was allocated by driver is received,
+ dma transfert can occurs past the end of buffer and corrupt
+ kernel memory.
+
+ Fix is to tell to NIC what is the maximum size a frame can be.
+
+ This bug is very old, (before git introduction, linux-2.6.10), and
+ should be backported to stable versions.
+
+ Reported-by: Michael Tokarev <mjt at tls.msk.ru>
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Tested-by: Michael Tokarev <mjt at tls.msk.ru>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/r8169.c linux-source-2.6.26/drivers/net/r8169.c
+--- linux-source-2.6.26.orig/drivers/net/r8169.c 2009-05-11 12:06:52.000000000 -0600
++++ linux-source-2.6.26/drivers/net/r8169.c 2009-06-09 08:44:34.000000000 -0600
+@@ -81,7 +81,6 @@ static const int multicast_filter_limit
+ #define RX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
+ #define TX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
+ #define EarlyTxThld 0x3F /* 0x3F means NO early transmit */
+-#define RxPacketMaxSize 0x3FE8 /* 16K - 1 - ETH_HLEN - VLAN - CRC... */
+ #define SafeMtu 0x1c20 /* ... actually life sucks beyond ~7k */
+ #define InterFrameGap 0x03 /* 3 means InterFrameGap = the shortest one */
+
+@@ -1982,10 +1981,10 @@ static u16 rtl_rw_cpluscmd(void __iomem
+ return cmd;
+ }
+
+-static void rtl_set_rx_max_size(void __iomem *ioaddr)
++static void rtl_set_rx_max_size(void __iomem *ioaddr, unsigned int rx_buf_sz)
+ {
+ /* Low hurts. Let's disable the filtering. */
+- RTL_W16(RxMaxSize, 16383);
++ RTL_W16(RxMaxSize, rx_buf_sz);
+ }
+
+ static void rtl8169_set_magic_reg(void __iomem *ioaddr, unsigned mac_version)
+@@ -2032,7 +2031,7 @@ static void rtl_hw_start_8169(struct net
+
+ RTL_W8(EarlyTxThres, EarlyTxThld);
+
+- rtl_set_rx_max_size(ioaddr);
++ rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+
+ if ((tp->mac_version == RTL_GIGA_MAC_VER_01) ||
+ (tp->mac_version == RTL_GIGA_MAC_VER_02) ||
+@@ -2096,7 +2095,7 @@ static void rtl_hw_start_8168(struct net
+
+ RTL_W8(EarlyTxThres, EarlyTxThld);
+
+- rtl_set_rx_max_size(ioaddr);
++ rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+
+ rtl_set_rx_tx_config_registers(tp);
+
+@@ -2150,7 +2149,7 @@ static void rtl_hw_start_8101(struct net
+
+ RTL_W8(EarlyTxThres, EarlyTxThld);
+
+- rtl_set_rx_max_size(ioaddr);
++ rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+
+ tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW;
+
Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2 Sat Jun 13 23:02:36 2009 (r13808)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2 Sat Jun 13 23:11:56 2009 (r13809)
@@ -1 +1,2 @@
+ bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch
++ bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
More information about the Kernel-svn-changes
mailing list