[kernel] r14982 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Jan 22 23:30:29 UTC 2010
Author: dannf
Date: Fri Jan 22 23:30:27 2010
New Revision: 14982
Log:
e1000e: enhance frame fragment detection (CVE-2009-4538)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/21lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Fri Jan 22 22:56:36 2010 (r14981)
+++ dists/lenny-security/linux-2.6/debian/changelog Fri Jan 22 23:30:27 2010 (r14982)
@@ -3,6 +3,7 @@
[ dann frazier ]
* mac80211: fix spurious delBA handling (CVE-2009-4027)
* e1000: enhance frame fragment detection (CVE-2009-4536)
+ * e1000e: enhance frame fragment detection (CVE-2009-4538)
[ Ben Hutchings ]
* kernel/signal.c: fix kernel information leak with print-fatal-signals=1
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch Fri Jan 22 23:30:27 2010 (r14982)
@@ -0,0 +1,86 @@
+commit b94b50289622e816adc9f94111cfc2679c80177c
+Author: Jesse Brandeburg <jesse.brandeburg at intel.com>
+Date: Tue Jan 19 14:15:59 2010 +0000
+
+ e1000e: enhance frame fragment detection
+
+ Originally patched by Neil Horman <nhorman at tuxdriver.com>
+
+ e1000e could with a jumbo frame enabled interface, and packet split disabled,
+ receive a packet that would overflow a single rx buffer. While in practice
+ very hard to craft a packet that could abuse this, it is possible.
+
+ this is related to CVE-2009-4538
+
+ Signed-off-by: Jesse Brandeburg <jesse.brandeburg at intel.com>
+ CC: Neil Horman <nhorman at tuxdriver.com>
+ Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher at intel.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/e1000e/netdev.c linux-source-2.6.26/drivers/net/e1000e/netdev.c
+--- linux-source-2.6.26.orig/drivers/net/e1000e/netdev.c 2009-12-26 01:14:57.000000000 -0700
++++ linux-source-2.6.26/drivers/net/e1000e/netdev.c 2010-01-22 16:16:43.000000000 -0700
+@@ -482,14 +482,24 @@ static bool e1000_clean_rx_irq(struct e1
+
+ length = le16_to_cpu(rx_desc->length);
+
+- /* !EOP means multiple descriptors were used to store a single
+- * packet, also make sure the frame isn't just CRC only */
+- if (!(status & E1000_RXD_STAT_EOP) || (length <= 4)) {
++ /*
++ * !EOP means multiple descriptors were used to store a single
++ * packet, if that's the case we need to toss it. In fact, we
++ * need to toss every packet with the EOP bit clear and the
++ * next frame that _does_ have the EOP bit set, as it is by
++ * definition only a frame fragment
++ */
++ if (unlikely(!(status & E1000_RXD_STAT_EOP)))
++ adapter->flags2 |= FLAG2_IS_DISCARDING;
++
++ if (adapter->flags2 & FLAG2_IS_DISCARDING) {
+ /* All receives must fit into a single buffer */
+ ndev_dbg(netdev, "%s: Receive packet consumed "
+ "multiple buffers\n", netdev->name);
+ /* recycle */
+ buffer_info->skb = skb;
++ if (status & E1000_RXD_STAT_EOP)
++ adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+ goto next_desc;
+ }
+
+@@ -748,10 +758,16 @@ static bool e1000_clean_rx_irq_ps(struct
+ PCI_DMA_FROMDEVICE);
+ buffer_info->dma = 0;
+
+- if (!(staterr & E1000_RXD_STAT_EOP)) {
++ /* see !EOP comment in other rx routine */
++ if (!(staterr & E1000_RXD_STAT_EOP))
++ adapter->flags2 |= FLAG2_IS_DISCARDING;
++
++ if (adapter->flags2 & FLAG2_IS_DISCARDING) {
+ ndev_dbg(netdev, "%s: Packet Split buffers didn't pick "
+ "up the full packet\n", netdev->name);
+ dev_kfree_skb_irq(skb);
++ if (staterr & E1000_RXD_STAT_EOP)
++ adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+ goto next_desc;
+ }
+
+@@ -1111,6 +1127,7 @@ static void e1000_clean_rx_ring(struct e
+
+ rx_ring->next_to_clean = 0;
+ rx_ring->next_to_use = 0;
++ adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+
+ writel(0, adapter->hw.hw_addr + rx_ring->head);
+ writel(0, adapter->hw.hw_addr + rx_ring->tail);
+@@ -4727,6 +4744,7 @@ static int __devinit e1000_probe(struct
+ adapter->ei = ei;
+ adapter->pba = ei->pba;
+ adapter->flags = ei->flags;
++ adapter->flags2 = ei->flags2;
+ adapter->hw.adapter = adapter;
+ adapter->hw.mac.type = ei->mac;
+ adapter->msg_enable = (1 << NETIF_MSG_DRV | NETIF_MSG_PROBE) - 1;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny1 Fri Jan 22 22:56:36 2010 (r14981)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny1 Fri Jan 22 23:30:27 2010 (r14982)
@@ -2,3 +2,4 @@
+ bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
+ bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
+ bugfix/all/e1000-enhance-frame-fragment-detection.patch
++ bugfix/all/e1000e-enhance-frame-fragment-detection.patch
More information about the Kernel-svn-changes
mailing list