[kernel] r14982 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Fri Jan 22 23:30:29 UTC 2010

Author: dannf
Date: Fri Jan 22 23:30:27 2010
New Revision: 14982

Log:
e1000e: enhance frame fragment detection (CVE-2009-4538)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/21lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Fri Jan 22 22:56:36 2010	(r14981)
+++ dists/lenny-security/linux-2.6/debian/changelog	Fri Jan 22 23:30:27 2010	(r14982)
@@ -3,6 +3,7 @@
   [ dann frazier ]
   * mac80211: fix spurious delBA handling (CVE-2009-4027)
   * e1000: enhance frame fragment detection (CVE-2009-4536)
+  * e1000e: enhance frame fragment detection (CVE-2009-4538)
  
   [ Ben Hutchings ]
   * kernel/signal.c: fix kernel information leak with print-fatal-signals=1

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch	Fri Jan 22 23:30:27 2010	(r14982)
@@ -0,0 +1,86 @@
+commit b94b50289622e816adc9f94111cfc2679c80177c
+Author: Jesse Brandeburg <jesse.brandeburg at intel.com>
+Date:   Tue Jan 19 14:15:59 2010 +0000
+
+    e1000e: enhance frame fragment detection
+    
+    Originally patched by Neil Horman <nhorman at tuxdriver.com>
+    
+    e1000e could with a jumbo frame enabled interface, and packet split disabled,
+    receive a packet that would overflow a single rx buffer.  While in practice
+    very hard to craft a packet that could abuse this, it is possible.
+    
+    this is related to CVE-2009-4538
+    
+    Signed-off-by: Jesse Brandeburg <jesse.brandeburg at intel.com>
+    CC: Neil Horman <nhorman at tuxdriver.com>
+    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher at intel.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/e1000e/netdev.c linux-source-2.6.26/drivers/net/e1000e/netdev.c
+--- linux-source-2.6.26.orig/drivers/net/e1000e/netdev.c	2009-12-26 01:14:57.000000000 -0700
++++ linux-source-2.6.26/drivers/net/e1000e/netdev.c	2010-01-22 16:16:43.000000000 -0700
+@@ -482,14 +482,24 @@ static bool e1000_clean_rx_irq(struct e1
+ 
+ 		length = le16_to_cpu(rx_desc->length);
+ 
+-		/* !EOP means multiple descriptors were used to store a single
+-		 * packet, also make sure the frame isn't just CRC only */
+-		if (!(status & E1000_RXD_STAT_EOP) || (length <= 4)) {
++		/*
++		 * !EOP means multiple descriptors were used to store a single
++		 * packet, if that's the case we need to toss it.  In fact, we
++		 * need to toss every packet with the EOP bit clear and the
++		 * next frame that _does_ have the EOP bit set, as it is by
++		 * definition only a frame fragment
++		 */
++		if (unlikely(!(status & E1000_RXD_STAT_EOP)))
++			adapter->flags2 |= FLAG2_IS_DISCARDING;
++
++		if (adapter->flags2 & FLAG2_IS_DISCARDING) {
+ 			/* All receives must fit into a single buffer */
+ 			ndev_dbg(netdev, "%s: Receive packet consumed "
+ 				 "multiple buffers\n", netdev->name);
+ 			/* recycle */
+ 			buffer_info->skb = skb;
++			if (status & E1000_RXD_STAT_EOP)
++				adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+ 			goto next_desc;
+ 		}
+ 
+@@ -748,10 +758,16 @@ static bool e1000_clean_rx_irq_ps(struct
+ 				 PCI_DMA_FROMDEVICE);
+ 		buffer_info->dma = 0;
+ 
+-		if (!(staterr & E1000_RXD_STAT_EOP)) {
++		/* see !EOP comment in other rx routine */
++		if (!(staterr & E1000_RXD_STAT_EOP))
++			adapter->flags2 |= FLAG2_IS_DISCARDING;
++
++		if (adapter->flags2 & FLAG2_IS_DISCARDING) {
+ 			ndev_dbg(netdev, "%s: Packet Split buffers didn't pick "
+ 				 "up the full packet\n", netdev->name);
+ 			dev_kfree_skb_irq(skb);
++			if (staterr & E1000_RXD_STAT_EOP)
++				adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+ 			goto next_desc;
+ 		}
+ 
+@@ -1111,6 +1127,7 @@ static void e1000_clean_rx_ring(struct e
+ 
+ 	rx_ring->next_to_clean = 0;
+ 	rx_ring->next_to_use = 0;
++	adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+ 
+ 	writel(0, adapter->hw.hw_addr + rx_ring->head);
+ 	writel(0, adapter->hw.hw_addr + rx_ring->tail);
+@@ -4727,6 +4744,7 @@ static int __devinit e1000_probe(struct 
+ 	adapter->ei = ei;
+ 	adapter->pba = ei->pba;
+ 	adapter->flags = ei->flags;
++	adapter->flags2 = ei->flags2;
+ 	adapter->hw.adapter = adapter;
+ 	adapter->hw.mac.type = ei->mac;
+ 	adapter->msg_enable = (1 << NETIF_MSG_DRV | NETIF_MSG_PROBE) - 1;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny1	Fri Jan 22 22:56:36 2010	(r14981)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny1	Fri Jan 22 23:30:27 2010	(r14982)
@@ -2,3 +2,4 @@
 + bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
 + bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
 + bugfix/all/e1000-enhance-frame-fragment-detection.patch
++ bugfix/all/e1000e-enhance-frame-fragment-detection.patch

