[kernel] r14981 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Jan 22 22:56:38 UTC 2010
Author: dannf
Date: Fri Jan 22 22:56:36 2010
New Revision: 14981
Log:
e1000: enhance frame fragment detection (CVE-2009-4536)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000-enhance-frame-fragment-detection.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/21lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Fri Jan 22 03:19:52 2010 (r14980)
+++ dists/lenny-security/linux-2.6/debian/changelog Fri Jan 22 22:56:36 2010 (r14981)
@@ -2,6 +2,7 @@
[ dann frazier ]
* mac80211: fix spurious delBA handling (CVE-2009-4027)
+ * e1000: enhance frame fragment detection (CVE-2009-4536)
[ Ben Hutchings ]
* kernel/signal.c: fix kernel information leak with print-fatal-signals=1
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000-enhance-frame-fragment-detection.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000-enhance-frame-fragment-detection.patch Fri Jan 22 22:56:36 2010 (r14981)
@@ -0,0 +1,59 @@
+commit 40a14deaf411592b57cb0720f0e8004293ab9865
+Author: Jesse Brandeburg <jesse.brandeburg at intel.com>
+Date: Tue Jan 19 14:15:38 2010 +0000
+
+ e1000: enhance frame fragment detection
+
+ Originally From: Neil Horman <nhorman at tuxdriver.com>
+ Modified by: Jesse Brandeburg <jesse.brandeburg at intel.com>
+
+ Hey all-
+ A security discussion was recently given:
+ http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html
+ And a patch that I submitted awhile back was brought up. Apparently some of
+ their testing revealed that they were able to force a buffer fragment in e1000
+ in which the trailing fragment was greater than 4 bytes. As a result the
+ fragment check I introduced failed to detect the fragement and a partial
+ invalid frame was passed up into the network stack. I've written this patch
+ to correct it. I'm in the process of testing it now, but it makes good
+ logical sense to me. Effectively it maintains a per-adapter state variable
+ which detects a non-EOP frame, and discards it and subsequent non-EOP frames
+ leading up to _and_ _including_ the next positive-EOP frame (as it is by
+ definition the last fragment). This should prevent any and all partial frames
+ from entering the network stack from e1000.
+
+ Signed-off-by: Jesse Brandeburg <jesse.brandeburg at intel.com>
+ Acked-by: Neil Horman <nhorman at tuxdriver.com>
+ Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher at intel.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/e1000/e1000_main.c linux-source-2.6.26/drivers/net/e1000/e1000_main.c
+--- linux-source-2.6.26.orig/drivers/net/e1000/e1000_main.c 2009-12-26 01:14:56.000000000 -0700
++++ linux-source-2.6.26/drivers/net/e1000/e1000_main.c 2010-01-22 15:43:22.000000000 -0700
+@@ -4241,13 +4241,22 @@ e1000_clean_rx_irq(struct e1000_adapter
+
+ length = le16_to_cpu(rx_desc->length);
+ /* !EOP means multiple descriptors were used to store a single
+- * packet, also make sure the frame isn't just CRC only */
+- if (unlikely(!(status & E1000_RXD_STAT_EOP) || (length <= 4))) {
++ * packet, if thats the case we need to toss it. In fact, we
++ * to toss every packet with the EOP bit clear and the next
++ * frame that _does_ have the EOP bit set, as it is by
++ * definition only a frame fragment
++ */
++ if (unlikely(!(status & E1000_RXD_STAT_EOP)))
++ adapter->discarding = true;
++
++ if (adapter->discarding) {
+ /* All receives must fit into a single buffer */
+ E1000_DBG("%s: Receive packet consumed multiple"
+ " buffers\n", netdev->name);
+ /* recycle */
+ buffer_info->skb = skb;
++ if (status & E1000_RXD_STAT_EOP)
++ adapter->discarding = false;
+ goto next_desc;
+ }
+
Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny1 Fri Jan 22 03:19:52 2010 (r14980)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny1 Fri Jan 22 22:56:36 2010 (r14981)
@@ -1,3 +1,4 @@
+ bugfix/all/mac80211-fix-spurious-delBA-handling.patch
+ bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
+ bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
++ bugfix/all/e1000-enhance-frame-fragment-detection.patch
More information about the Kernel-svn-changes
mailing list