[kernel] r14981 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Fri Jan 22 22:56:38 UTC 2010 

Author: dannf
Date: Fri Jan 22 22:56:36 2010
New Revision: 14981

Log:
e1000: enhance frame fragment detection (CVE-2009-4536)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000-enhance-frame-fragment-detection.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/21lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Fri Jan 22 03:19:52 2010	(r14980)
+++ dists/lenny-security/linux-2.6/debian/changelog	Fri Jan 22 22:56:36 2010	(r14981)
@@ -2,6 +2,7 @@
 
   [ dann frazier ]
   * mac80211: fix spurious delBA handling (CVE-2009-4027)
+  * e1000: enhance frame fragment detection (CVE-2009-4536)
  
   [ Ben Hutchings ]
   * kernel/signal.c: fix kernel information leak with print-fatal-signals=1

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000-enhance-frame-fragment-detection.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000-enhance-frame-fragment-detection.patch	Fri Jan 22 22:56:36 2010	(r14981)
@@ -0,0 +1,59 @@
+commit 40a14deaf411592b57cb0720f0e8004293ab9865
+Author: Jesse Brandeburg <jesse.brandeburg at intel.com>
+Date:   Tue Jan 19 14:15:38 2010 +0000
+
+    e1000: enhance frame fragment detection
+    
+    Originally From: Neil Horman <nhorman at tuxdriver.com>
+    Modified by: Jesse Brandeburg <jesse.brandeburg at intel.com>
+    
+    Hey all-
+    	A security discussion was recently given:
+    http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html
+    And a patch that I submitted awhile back was brought up.  Apparently some of
+    their testing revealed that they were able to force a buffer fragment in e1000
+    in which the trailing fragment was greater than 4 bytes.  As a result the
+    fragment check I introduced failed to detect the fragement and a partial
+    invalid frame was passed up into the network stack.  I've written this patch
+    to correct it.  I'm in the process of testing it now, but it makes good
+    logical sense to me.  Effectively it maintains a per-adapter state variable
+    which detects a non-EOP frame, and discards it and subsequent non-EOP frames
+    leading up to _and_ _including_ the next positive-EOP frame (as it is by
+    definition the last fragment).  This should prevent any and all partial frames
+    from entering the network stack from e1000.
+    
+    Signed-off-by: Jesse Brandeburg <jesse.brandeburg at intel.com>
+    Acked-by: Neil Horman <nhorman at tuxdriver.com>
+    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher at intel.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/e1000/e1000_main.c linux-source-2.6.26/drivers/net/e1000/e1000_main.c
+--- linux-source-2.6.26.orig/drivers/net/e1000/e1000_main.c	2009-12-26 01:14:56.000000000 -0700
++++ linux-source-2.6.26/drivers/net/e1000/e1000_main.c	2010-01-22 15:43:22.000000000 -0700
+@@ -4241,13 +4241,22 @@ e1000_clean_rx_irq(struct e1000_adapter 
+ 
+ 		length = le16_to_cpu(rx_desc->length);
+ 		/* !EOP means multiple descriptors were used to store a single
+-		 * packet, also make sure the frame isn't just CRC only */
+-		if (unlikely(!(status & E1000_RXD_STAT_EOP) || (length <= 4))) {
++		 * packet, if thats the case we need to toss it.  In fact, we
++		 * to toss every packet with the EOP bit clear and the next
++		 * frame that _does_ have the EOP bit set, as it is by
++		 * definition only a frame fragment
++		 */
++		if (unlikely(!(status & E1000_RXD_STAT_EOP)))
++			adapter->discarding = true;
++
++		if (adapter->discarding) {
+ 			/* All receives must fit into a single buffer */
+ 			E1000_DBG("%s: Receive packet consumed multiple"
+ 				  " buffers\n", netdev->name);
+ 			/* recycle */
+ 			buffer_info->skb = skb;
++			if (status & E1000_RXD_STAT_EOP)
++				adapter->discarding = false;
+ 			goto next_desc;
+ 		}
+ 

Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny1	Fri Jan 22 03:19:52 2010	(r14980)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny1	Fri Jan 22 22:56:36 2010	(r14981)
@@ -1,3 +1,4 @@
 + bugfix/all/mac80211-fix-spurious-delBA-handling.patch
 + bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
 + bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
++ bugfix/all/e1000-enhance-frame-fragment-detection.patch

More information about the Kernel-svn-changes mailing list