From: Ivan Vecera <ivecera@redhat.com> Date: Tue, 16 Jun 2009 10:08:01 +0200 Subject: [net] r8169: fix crash when large packets are received Message-id: 1245139681-8310-1-git-send-email-ivecera@redhat.com O-Subject: [RHEL5.4 PATCH] [net] r8169: fix crash when large packets are received Bugzilla: 504732 RH-Acked-by: Michal Schmidt <mschmidt@redhat.com> RH-Acked-by: Jiri Pirko <jpirko@redhat.com> RH-Acked-by: Rik van Riel <riel@redhat.com> RH-Acked-by: Jerome Marchand <jmarchan@redhat.com> CVE: CVE-2009-1389 BZs: #504732 - CVE-2009-1389 kernel: r8169: fix crash when large packets are received Description: A large packet could crash a machine with RTL8169 based NIC. The driver informs NIC that frames up to 16383 bytes can be received but provides RX ring allocated with smaller sizes (1536 bytes for 1500 MTU). When a frame larger than what was allocated by driver is received, DMA transfert can occurs past the end of buffer and corrupt kernel memory. The NIC should know the real maximum frame size. Upstream commits: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=fdd7b4c3302c93f6833e338903ea77245eb510b4 Signed-off-by: Ivan Vecera <ivecera@redhat.com> diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c index a6020dd..48ca235 100644 --- a/drivers/net/r8169.c +++ b/drivers/net/r8169.c @@ -67,7 +67,6 @@ static const int multicast_filter_limit = 32; #define RX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */ #define TX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */ #define EarlyTxThld 0x3F /* 0x3F means NO early transmit */ -#define RxPacketMaxSize 0x3FE8 /* 16K - 1 - ETH_HLEN - VLAN - CRC... */ #define SafeMtu 0x1c20 /* ... actually life sucks beyond ~7k */ #define InterFrameGap 0x03 /* 3 means InterFrameGap = the shortest one */ @@ -2345,10 +2344,10 @@ static u16 rtl_rw_cpluscmd(void __iomem *ioaddr) return cmd; } -static void rtl_set_rx_max_size(void __iomem *ioaddr) +static void rtl_set_rx_max_size(void __iomem *ioaddr, unsigned int rx_buf_sz) { /* Low hurts. Let's disable the filtering. */ - RTL_W16(RxMaxSize, 16383); + RTL_W16(RxMaxSize, rx_buf_sz); } static void rtl8169_set_magic_reg(void __iomem *ioaddr, unsigned mac_version) @@ -2395,7 +2394,7 @@ static void rtl_hw_start_8169(struct net_device *dev) RTL_W8(EarlyTxThres, EarlyTxThld); - rtl_set_rx_max_size(ioaddr); + rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz); if ((tp->mac_version == RTL_GIGA_MAC_VER_01) || (tp->mac_version == RTL_GIGA_MAC_VER_02) || @@ -2656,7 +2655,7 @@ static void rtl_hw_start_8168(struct net_device *dev) RTL_W8(EarlyTxThres, EarlyTxThld); - rtl_set_rx_max_size(ioaddr); + rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz); tp->cp_cmd |= RTL_R16(CPlusCmd) | PktCntrDisable | INTT_1; @@ -2834,7 +2833,7 @@ static void rtl_hw_start_8101(struct net_device *dev) RTL_W8(EarlyTxThres, EarlyTxThld); - rtl_set_rx_max_size(ioaddr); + rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz); tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW;