oss-sec mailing list archives
CVE-2009-1389 kernel: r8169: fix crash when large packets are received
From: Eugene Teo <eugene () redhat com>
Date: Wed, 10 Jun 2009 13:32:45 +0800
"Michael Tokarev reported receiving a large packet could crash a machine with RTL8169 NIC. Problem is this driver tells that NIC frames up to 16383 bytes can be received but provides skb to rx ring allocated with smaller sizes (1536 bytes in case standard 1500 bytes MTU is used). When a frame larger than what was allocated by driver is received, dma transfer can occurs past the end of buffer and corrupt kernel memory.
Fix is to tell to NIC what is the maximum size a frame can be. This bug is very old, (before git introduction, linux-2.6.10)."
I have informed Willy (2.4 maintainer) about this. Upstream 2.6 commit:http://git.kernel.org/linus/fdd7b4c3302c93f6833e338903ea77245eb510b4 (v2.6.30)
References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1389 http://marc.info/?t=123462473200002 http://lkml.org/lkml/2009/6/8/194 http://www.corpit.ru/mjt/r8169-mtu-oops.jpg http://article.gmane.org/gmane.linux.network/130114 http://www.mail-archive.com/debian-kernel () lists debian org/msg45651.html Thanks, Eugene
Current thread:
- CVE-2009-1389 kernel: r8169: fix crash when large packets are received Eugene Teo (Jun 09)