[kernel] r15081 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Feb 1 04:55:22 UTC 2010 

Author: dannf
Date: Mon Feb  1 04:55:19 2010
New Revision: 15081

Log:
e1000e: enhance frame fragment detection (CVE-2009-4538)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch
      - copied unchanged from r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	Mon Feb  1 04:53:17 2010	(r15080)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Mon Feb  1 04:55:19 2010	(r15081)
@@ -17,6 +17,7 @@
   * ext4: Avoid null pointer dereference when decoding EROFS w/o a journal
     (CVE-2009-4308)
   * e1000: enhance frame fragment detection (CVE-2009-4536)
+  * e1000e: enhance frame fragment detection (CVE-2009-4538)
 
  -- dann frazier <dannf at debian.org>  Sun, 31 Jan 2010 17:17:52 -0700
 

Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch (from r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch	Mon Feb  1 04:55:19 2010	(r15081, copy of r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch)
@@ -0,0 +1,111 @@
+commit b94b50289622e816adc9f94111cfc2679c80177c
+Author: Jesse Brandeburg <jesse.brandeburg at intel.com>
+Date:   Tue Jan 19 14:15:59 2010 +0000
+
+    e1000e: enhance frame fragment detection
+    
+    Originally patched by Neil Horman <nhorman at tuxdriver.com>
+    
+    e1000e could with a jumbo frame enabled interface, and packet split disabled,
+    receive a packet that would overflow a single rx buffer.  While in practice
+    very hard to craft a packet that could abuse this, it is possible.
+    
+    this is related to CVE-2009-4538
+    
+    Signed-off-by: Jesse Brandeburg <jesse.brandeburg at intel.com>
+    CC: Neil Horman <nhorman at tuxdriver.com>
+    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher at intel.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/e1000e/netdev.c linux-source-2.6.26/drivers/net/e1000e/netdev.c
+--- linux-source-2.6.26.orig/drivers/net/e1000e/netdev.c	2009-12-26 01:14:57.000000000 -0700
++++ linux-source-2.6.26/drivers/net/e1000e/netdev.c	2010-01-22 16:16:43.000000000 -0700
+@@ -482,14 +482,24 @@ static bool e1000_clean_rx_irq(struct e1
+ 
+ 		length = le16_to_cpu(rx_desc->length);
+ 
+-		/* !EOP means multiple descriptors were used to store a single
+-		 * packet, also make sure the frame isn't just CRC only */
+-		if (!(status & E1000_RXD_STAT_EOP) || (length <= 4)) {
++		/*
++		 * !EOP means multiple descriptors were used to store a single
++		 * packet, if that's the case we need to toss it.  In fact, we
++		 * need to toss every packet with the EOP bit clear and the
++		 * next frame that _does_ have the EOP bit set, as it is by
++		 * definition only a frame fragment
++		 */
++		if (unlikely(!(status & E1000_RXD_STAT_EOP)))
++			adapter->flags2 |= FLAG2_IS_DISCARDING;
++
++		if (adapter->flags2 & FLAG2_IS_DISCARDING) {
+ 			/* All receives must fit into a single buffer */
+ 			ndev_dbg(netdev, "%s: Receive packet consumed "
+ 				 "multiple buffers\n", netdev->name);
+ 			/* recycle */
+ 			buffer_info->skb = skb;
++			if (status & E1000_RXD_STAT_EOP)
++				adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+ 			goto next_desc;
+ 		}
+ 
+@@ -748,10 +758,16 @@ static bool e1000_clean_rx_irq_ps(struct
+ 				 PCI_DMA_FROMDEVICE);
+ 		buffer_info->dma = 0;
+ 
+-		if (!(staterr & E1000_RXD_STAT_EOP)) {
++		/* see !EOP comment in other rx routine */
++		if (!(staterr & E1000_RXD_STAT_EOP))
++			adapter->flags2 |= FLAG2_IS_DISCARDING;
++
++		if (adapter->flags2 & FLAG2_IS_DISCARDING) {
+ 			ndev_dbg(netdev, "%s: Packet Split buffers didn't pick "
+ 				 "up the full packet\n", netdev->name);
+ 			dev_kfree_skb_irq(skb);
++			if (staterr & E1000_RXD_STAT_EOP)
++				adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+ 			goto next_desc;
+ 		}
+ 
+@@ -1111,6 +1127,7 @@ static void e1000_clean_rx_ring(struct e
+ 
+ 	rx_ring->next_to_clean = 0;
+ 	rx_ring->next_to_use = 0;
++	adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+ 
+ 	writel(0, adapter->hw.hw_addr + rx_ring->head);
+ 	writel(0, adapter->hw.hw_addr + rx_ring->tail);
+@@ -4727,6 +4744,7 @@ static int __devinit e1000_probe(struct 
+ 	adapter->ei = ei;
+ 	adapter->pba = ei->pba;
+ 	adapter->flags = ei->flags;
++	adapter->flags2 = ei->flags2;
+ 	adapter->hw.adapter = adapter;
+ 	adapter->hw.mac.type = ei->mac;
+ 	adapter->msg_enable = (1 << NETIF_MSG_DRV | NETIF_MSG_PROBE) - 1;
+--- linux-source-2.6.26.orig/drivers/net/e1000e/e1000.h	2009-12-26 01:14:57.000000000 -0700
++++ linux-source-2.6.26/drivers/net/e1000e/e1000.h	2010-01-26 11:17:32.000000000 -0700
+@@ -298,11 +298,13 @@ struct e1000_adapter {
+ 	unsigned long led_status;
+ 
+ 	unsigned int flags;
++	unsigned int flags2;
+ };
+ 
+ struct e1000_info {
+ 	enum e1000_mac_type	mac;
+ 	unsigned int		flags;
++	unsigned int		flags2;
+ 	u32			pba;
+ 	s32			(*get_variants)(struct e1000_adapter *);
+ 	struct e1000_mac_operations *mac_ops;
+@@ -343,6 +345,8 @@ struct e1000_info {
+ #define FLAG_RX_RESTART_NOW               (1 << 30)
+ #define FLAG_MSI_TEST_FAILED              (1 << 31)
+ 
++#define FLAG2_IS_DISCARDING               (1 << 2)
++
+ #define E1000_RX_DESC_PS(R, i)	    \
+ 	(&(((union e1000_rx_desc_packet_split *)((R).desc))[i]))
+ #define E1000_GET_DESC(R, i, type)	(&(((struct type *)((R).desc))[i]))

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2	Mon Feb  1 04:53:17 2010	(r15080)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2	Mon Feb  1 04:55:19 2010	(r15081)
@@ -14,3 +14,4 @@
 + bugfix/all/firewire-ohci-handle-receive-packets-with-a-data-length-of-zero.patch
 + bugfix/all/ext4-avoid-null-pointer-deref-when-decoding-EROFS-wo-a-journal.patch
 + bugfix/all/e1000-enhance-frame-fragment-detection.patch
++ bugfix/all/e1000e-enhance-frame-fragment-detection.patch

More information about the Kernel-svn-changes mailing list