[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2009-1389 kernel: r8169: fix crash when large packets are received
From: Eugene Teo <eugene () redhat ! com>
Date: 2009-06-10 5:32:45
Message-ID: 4A2F457D.4010809 () redhat ! com
[Download RAW message or body]
"Michael Tokarev reported receiving a large packet could crash a machine
with RTL8169 NIC. Problem is this driver tells that NIC frames up to
16383 bytes can be received but provides skb to rx ring allocated with
smaller sizes (1536 bytes in case standard 1500 bytes MTU is used). When
a frame larger than what was allocated by driver is received, dma
transfer can occurs past the end of buffer and corrupt kernel memory.
Fix is to tell to NIC what is the maximum size a frame can be. This bug
is very old, (before git introduction, linux-2.6.10)."
I have informed Willy (2.4 maintainer) about this.
Upstream 2.6 commit:
http://git.kernel.org/linus/fdd7b4c3302c93f6833e338903ea77245eb510b4
(v2.6.30)
References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1389
http://marc.info/?t=123462473200002
http://lkml.org/lkml/2009/6/8/194
http://www.corpit.ru/mjt/r8169-mtu-oops.jpg
http://article.gmane.org/gmane.linux.network/130114
http://www.mail-archive.com/debian-kernel@lists.debian.org/msg45651.html
Thanks, Eugene
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic