[kernel] r15541 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at alioth.debian.org
Fri Apr 23 00:33:36 UTC 2010 

Author: benh
Date: Fri Apr 23 00:33:24 2010
New Revision: 15541

Log:
r8169: Increase default RX buffer size to avoid RX scattering bug (CVE-2009-4537)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r8169-Fix-receive-buffer-length.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r8169-clean-up-my-printk-uglyness.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/21lenny5

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Fri Apr 23 00:14:52 2010	(r15540)
+++ dists/lenny-security/linux-2.6/debian/changelog	Fri Apr 23 00:33:24 2010	(r15541)
@@ -7,6 +7,8 @@
   [ Ben Hutchings ]
   * [x86] KVM: disable paravirt mmu reporting (Closes: #573071) (regressed
     due to fix for CVE-2010-0298; considered obsolete by upstream)
+  * r8169: Increase default RX buffer size to avoid RX scattering bug
+    (CVE-2009-4537)
 
  -- dann frazier <dannf at debian.org>  Wed, 21 Apr 2010 22:37:06 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r8169-Fix-receive-buffer-length.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r8169-Fix-receive-buffer-length.patch	Fri Apr 23 00:33:24 2010	(r15541)
@@ -0,0 +1,59 @@
+From 8812304cf1110ae16b0778680f6022216cf4716a Mon Sep 17 00:00:00 2001
+From: Raimonds Cicans <ray at apollo.lv>
+Date: Fri, 13 Nov 2009 10:52:19 +0000
+Subject: [PATCH] r8169: Fix receive buffer length when MTU is between 1515 and 1536
+
+In r8169 driver MTU is used to calculate receive buffer size.
+Receive buffer size is used to configure hardware incoming packet filter.
+
+For jumbo frames:
+Receive buffer size = Max frame size = MTU + 14 (ethernet header) + 4
+(vlan header) + 4 (ethernet checksum) = MTU + 22
+
+Bug:
+driver for all MTU up to 1536 use receive buffer size 1536
+
+As you can see from formula, this mean all IP packets > 1536 - 22
+(for vlan tagged, 1536 - 18 for not tagged) are dropped by hardware
+filter.
+
+Example:
+
+host_good>  ifconfig eth0 mtu 1536
+host_r8169> ifconfig eth0 mtu 1536
+host_good>  ping host_r8169
+Ok
+host_good>  ping -s 1500 host_r8169
+Fail
+host_good>  ifconfig eth0 mtu 7000
+host_r8169> ifconfig eth0 mtu 7000
+host_good>  ping -s 1500 host_r8169
+Ok
+
+Bonus: got rid of magic number 8
+
+Signed-off-by: Raimonds Cicans <ray at apollo.lv>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ drivers/net/r8169.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
+index fa49356..b9221bd 100644
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -3243,9 +3243,9 @@ static void __devexit rtl8169_remove_one(struct pci_dev *pdev)
+ static void rtl8169_set_rxbufsize(struct rtl8169_private *tp,
+ 				  struct net_device *dev)
+ {
+-	unsigned int mtu = dev->mtu;
++	unsigned int max_frame = dev->mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
+ 
+-	tp->rx_buf_sz = (mtu > RX_BUF_SIZE) ? mtu + ETH_HLEN + 8 : RX_BUF_SIZE;
++	tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE;
+ }
+ 
+ static int rtl8169_open(struct net_device *dev)
+-- 
+1.7.0.3
+

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r8169-clean-up-my-printk-uglyness.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r8169-clean-up-my-printk-uglyness.patch	Fri Apr 23 00:33:24 2010	(r15541)
@@ -0,0 +1,35 @@
+From 93f4d91d879acfcb0ba9c2725e3133fcff2dfd1e Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman at tuxdriver.com>
+Date: Thu, 1 Apr 2010 07:30:07 +0000
+Subject: [PATCH] r8169: clean up my printk uglyness
+
+Fix formatting on r8169 printk
+
+Brandon Philips noted that I had a spacing issue in my printk for the
+last r8169 patch that made it quite ugly.  Fix that up and add the PFX
+macro to it as well so it looks like the other r8169 printks
+
+Signed-off-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ drivers/net/r8169.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
+index 9674005..dbb1f5a 100644
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -3227,8 +3227,8 @@ static void rtl8169_set_rxbufsize(struct rtl8169_private *tp,
+ 	unsigned int max_frame = mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
+ 
+ 	if (max_frame != 16383)
+-		printk(KERN_WARNING "WARNING! Changing of MTU on this NIC"
+-			"May lead to frame reception errors!\n");
++		printk(KERN_WARNING PFX "WARNING! Changing of MTU on this "
++			"NIC may lead to frame reception errors!\n");
+ 
+ 	tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE;
+ }
+-- 
+1.7.0.3
+

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch	Fri Apr 23 00:33:24 2010	(r15541)
@@ -0,0 +1,121 @@
+From c0cd884af045338476b8e69a61fceb3f34ff22f1 Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman at redhat.com>
+Date: Mon, 29 Mar 2010 13:16:02 -0700
+Subject: r8169: offical fix for CVE-2009-4537 (overlength frame DMAs)
+
+From: Neil Horman <nhorman at redhat.com>
+
+commit c0cd884af045338476b8e69a61fceb3f34ff22f1 upstream.
+
+Official patch to fix the r8169 frame length check error.
+
+Based on this initial thread:
+http://marc.info/?l=linux-netdev&m=126202972828626&w=1
+This is the official patch to fix the frame length problems in the r8169
+driver.  As noted in the previous thread, while this patch incurs a performance
+hit on the driver, its possible to improve performance dynamically by updating
+the mtu and rx_copybreak values at runtime to return performance to what it was
+for those NICS which are unaffected by the ideosyncracy (if there are any).
+
+Summary:
+
+    A while back Eric submitted a patch for r8169 in which the proper
+allocated frame size was written to RXMaxSize to prevent the NIC from dmaing too
+much data.  This was done in commit fdd7b4c3302c93f6833e338903ea77245eb510b4.  A
+long time prior to that however, Francois posted
+126fa4b9ca5d9d7cb7d46f779ad3bd3631ca387c, which expiclitly disabled the MaxSize
+setting due to the fact that the hardware behaved in odd ways when overlong
+frames were received on NIC's supported by this driver.  This was mentioned in a
+security conference recently:
+http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html
+
+It seems that if we can't enable frame size filtering, then, as Eric correctly
+noticed, we can find ourselves DMA-ing too much data to a buffer, causing
+corruption.  As a result is seems that we are forced to allocate a frame which
+is ready to handle a maximally sized receive.
+
+This obviously has performance issues with it, so to mitigate that issue, this
+patch does two things:
+
+1) Raises the copybreak value to the frame allocation size, which should force
+appropriately sized packets to get allocated on rx, rather than a full new 16k
+buffer.
+
+2) This patch only disables frame filtering initially (i.e., during the NIC
+open), changing the MTU results in ring buffer allocation of a size in relation
+to the new mtu (along with a warning indicating that this is dangerous).
+
+Because of item (2), individuals who can't cope with the performance hit (or can
+otherwise filter frames to prevent the bug), or who have hardware they are sure
+is unaffected by this issue, can manually lower the copybreak and reset the mtu
+such that performance is restored easily.
+
+Signed-off-by: Neil Horman <nhorman at redhat.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Cc: maximilian attems <max at stro.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/net/r8169.c |   29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -186,7 +186,12 @@ static struct pci_device_id rtl8169_pci_
+ 
+ MODULE_DEVICE_TABLE(pci, rtl8169_pci_tbl);
+ 
+-static int rx_copybreak = 200;
++/*
++ * we set our copybreak very high so that we don't have
++ * to allocate 16k frames all the time (see note in
++ * rtl8169_open()
++ */
++static int rx_copybreak = 16383;
+ static int use_dac;
+ static struct {
+ 	u32 msg_enable;
+@@ -3245,9 +3250,13 @@ static void __devexit rtl8169_remove_one
+ }
+ 
+ static void rtl8169_set_rxbufsize(struct rtl8169_private *tp,
+-				  struct net_device *dev)
++				  unsigned int mtu)
+ {
+-	unsigned int max_frame = dev->mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
++	unsigned int max_frame = mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
++
++	if (max_frame != 16383)
++		printk(KERN_WARNING "WARNING! Changing of MTU on this NIC"
++			"May lead to frame reception errors!\n");
+ 
+ 	tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE;
+ }
+@@ -3259,7 +3268,17 @@ static int rtl8169_open(struct net_devic
+ 	int retval = -ENOMEM;
+ 
+ 
+-	rtl8169_set_rxbufsize(tp, dev);
++	/*
++	 * Note that we use a magic value here, its wierd I know
++	 * its done because, some subset of rtl8169 hardware suffers from
++	 * a problem in which frames received that are longer than
++	 * the size set in RxMaxSize register return garbage sizes
++	 * when received.  To avoid this we need to turn off filtering,
++	 * which is done by setting a value of 16383 in the RxMaxSize register
++	 * and allocating 16k frames to handle the largest possible rx value
++	 * thats what the magic math below does.
++	 */
++	rtl8169_set_rxbufsize(tp, 16383 - VLAN_ETH_HLEN - ETH_FCS_LEN);
+ 
+ 	/*
+ 	 * Rx and Tx desscriptors needs 256 bytes alignment.
+@@ -3912,7 +3931,7 @@ static int rtl8169_change_mtu(struct net
+ 
+ 	rtl8169_down(dev);
+ 
+-	rtl8169_set_rxbufsize(tp, dev);
++	rtl8169_set_rxbufsize(tp, dev->mtu);
+ 
+ 	ret = rtl8169_init_ring(dev);
+ 	if (ret < 0)

Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny5
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny5	Fri Apr 23 00:14:52 2010	(r15540)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny5	Fri Apr 23 00:33:24 2010	(r15541)
@@ -1,3 +1,6 @@
 + bugfix/all/usbfs-only-copy-received-data.patch
 + bugfix/all/gfs2-skip-check-for-mandatory-locks-when-unlocking.patch
 + bugfix/x86/kvm-x86-disable-paravirt-mmu-reporting.patch
++ bugfix/all/r8169-Fix-receive-buffer-length.patch
++ bugfix/all/r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch
++ bugfix/all/r8169-clean-up-my-printk-uglyness.patch

More information about the Kernel-svn-changes mailing list