[kernel] r15081 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Feb 1 04:55:22 UTC 2010
Author: dannf
Date: Mon Feb 1 04:55:19 2010
New Revision: 15081
Log:
e1000e: enhance frame fragment detection (CVE-2009-4538)
Added:
dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch
- copied unchanged from r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch
Modified:
dists/etch-security/linux-2.6.24/debian/changelog
dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2
Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog Mon Feb 1 04:53:17 2010 (r15080)
+++ dists/etch-security/linux-2.6.24/debian/changelog Mon Feb 1 04:55:19 2010 (r15081)
@@ -17,6 +17,7 @@
* ext4: Avoid null pointer dereference when decoding EROFS w/o a journal
(CVE-2009-4308)
* e1000: enhance frame fragment detection (CVE-2009-4536)
+ * e1000e: enhance frame fragment detection (CVE-2009-4538)
-- dann frazier <dannf at debian.org> Sun, 31 Jan 2010 17:17:52 -0700
Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch (from r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch Mon Feb 1 04:55:19 2010 (r15081, copy of r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch)
@@ -0,0 +1,111 @@
+commit b94b50289622e816adc9f94111cfc2679c80177c
+Author: Jesse Brandeburg <jesse.brandeburg at intel.com>
+Date: Tue Jan 19 14:15:59 2010 +0000
+
+ e1000e: enhance frame fragment detection
+
+ Originally patched by Neil Horman <nhorman at tuxdriver.com>
+
+ e1000e could with a jumbo frame enabled interface, and packet split disabled,
+ receive a packet that would overflow a single rx buffer. While in practice
+ very hard to craft a packet that could abuse this, it is possible.
+
+ this is related to CVE-2009-4538
+
+ Signed-off-by: Jesse Brandeburg <jesse.brandeburg at intel.com>
+ CC: Neil Horman <nhorman at tuxdriver.com>
+ Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher at intel.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/e1000e/netdev.c linux-source-2.6.26/drivers/net/e1000e/netdev.c
+--- linux-source-2.6.26.orig/drivers/net/e1000e/netdev.c 2009-12-26 01:14:57.000000000 -0700
++++ linux-source-2.6.26/drivers/net/e1000e/netdev.c 2010-01-22 16:16:43.000000000 -0700
+@@ -482,14 +482,24 @@ static bool e1000_clean_rx_irq(struct e1
+
+ length = le16_to_cpu(rx_desc->length);
+
+- /* !EOP means multiple descriptors were used to store a single
+- * packet, also make sure the frame isn't just CRC only */
+- if (!(status & E1000_RXD_STAT_EOP) || (length <= 4)) {
++ /*
++ * !EOP means multiple descriptors were used to store a single
++ * packet, if that's the case we need to toss it. In fact, we
++ * need to toss every packet with the EOP bit clear and the
++ * next frame that _does_ have the EOP bit set, as it is by
++ * definition only a frame fragment
++ */
++ if (unlikely(!(status & E1000_RXD_STAT_EOP)))
++ adapter->flags2 |= FLAG2_IS_DISCARDING;
++
++ if (adapter->flags2 & FLAG2_IS_DISCARDING) {
+ /* All receives must fit into a single buffer */
+ ndev_dbg(netdev, "%s: Receive packet consumed "
+ "multiple buffers\n", netdev->name);
+ /* recycle */
+ buffer_info->skb = skb;
++ if (status & E1000_RXD_STAT_EOP)
++ adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+ goto next_desc;
+ }
+
+@@ -748,10 +758,16 @@ static bool e1000_clean_rx_irq_ps(struct
+ PCI_DMA_FROMDEVICE);
+ buffer_info->dma = 0;
+
+- if (!(staterr & E1000_RXD_STAT_EOP)) {
++ /* see !EOP comment in other rx routine */
++ if (!(staterr & E1000_RXD_STAT_EOP))
++ adapter->flags2 |= FLAG2_IS_DISCARDING;
++
++ if (adapter->flags2 & FLAG2_IS_DISCARDING) {
+ ndev_dbg(netdev, "%s: Packet Split buffers didn't pick "
+ "up the full packet\n", netdev->name);
+ dev_kfree_skb_irq(skb);
++ if (staterr & E1000_RXD_STAT_EOP)
++ adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+ goto next_desc;
+ }
+
+@@ -1111,6 +1127,7 @@ static void e1000_clean_rx_ring(struct e
+
+ rx_ring->next_to_clean = 0;
+ rx_ring->next_to_use = 0;
++ adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+
+ writel(0, adapter->hw.hw_addr + rx_ring->head);
+ writel(0, adapter->hw.hw_addr + rx_ring->tail);
+@@ -4727,6 +4744,7 @@ static int __devinit e1000_probe(struct
+ adapter->ei = ei;
+ adapter->pba = ei->pba;
+ adapter->flags = ei->flags;
++ adapter->flags2 = ei->flags2;
+ adapter->hw.adapter = adapter;
+ adapter->hw.mac.type = ei->mac;
+ adapter->msg_enable = (1 << NETIF_MSG_DRV | NETIF_MSG_PROBE) - 1;
+--- linux-source-2.6.26.orig/drivers/net/e1000e/e1000.h 2009-12-26 01:14:57.000000000 -0700
++++ linux-source-2.6.26/drivers/net/e1000e/e1000.h 2010-01-26 11:17:32.000000000 -0700
+@@ -298,11 +298,13 @@ struct e1000_adapter {
+ unsigned long led_status;
+
+ unsigned int flags;
++ unsigned int flags2;
+ };
+
+ struct e1000_info {
+ enum e1000_mac_type mac;
+ unsigned int flags;
++ unsigned int flags2;
+ u32 pba;
+ s32 (*get_variants)(struct e1000_adapter *);
+ struct e1000_mac_operations *mac_ops;
+@@ -343,6 +345,8 @@ struct e1000_info {
+ #define FLAG_RX_RESTART_NOW (1 << 30)
+ #define FLAG_MSI_TEST_FAILED (1 << 31)
+
++#define FLAG2_IS_DISCARDING (1 << 2)
++
+ #define E1000_RX_DESC_PS(R, i) \
+ (&(((union e1000_rx_desc_packet_split *)((R).desc))[i]))
+ #define E1000_GET_DESC(R, i, type) (&(((struct type *)((R).desc))[i]))
Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2 Mon Feb 1 04:53:17 2010 (r15080)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2 Mon Feb 1 04:55:19 2010 (r15081)
@@ -14,3 +14,4 @@
+ bugfix/all/firewire-ohci-handle-receive-packets-with-a-data-length-of-zero.patch
+ bugfix/all/ext4-avoid-null-pointer-deref-when-decoding-EROFS-wo-a-journal.patch
+ bugfix/all/e1000-enhance-frame-fragment-detection.patch
++ bugfix/all/e1000e-enhance-frame-fragment-detection.patch
More information about the Kernel-svn-changes
mailing list