Re: [PATCH] e1000: enhance frame fragment detection

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ben Hutchings <ben@decadent.org.uk>
To: "Brandeburg, Jesse" <jesse.brandeburg@intel.com>
Cc: Neil Horman <nhorman@tuxdriver.com>,
	davem@davemloft.net,
	"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
	"Kirsher, Jeffrey T" <jeffrey.t.kirsher@intel.com>,
	"Allan, Bruce W" <bruce.w.allan@intel.com>,
	"Waskiewicz Jr, Peter P" <peter.p.waskiewicz.jr@intel.com>,
	"Ronciak, John" <john.ronciak@intel.com>,
	"e1000-devel@lists.sourceforge.net"
	<e1000-devel@lists.sourceforge.net>
Subject: Re: [PATCH] e1000: enhance frame fragment detection
Date: Wed, 13 Jan 2010 02:04:31 +0000	[thread overview]
Message-ID: <1263348271.3852.74.camel@localhost> (raw)
In-Reply-To: <alpine.WNT.2.00.1001121720300.3168@jbrandeb-desk1.amr.corp.intel.com>

[-- Attachment #1: Type: text/plain, Size: 2338 bytes --]

On Tue, 2010-01-12 at 17:56 -0800, Brandeburg, Jesse wrote:
> On Wed, 6 Jan 2010, Brandeburg, Jesse wrote:
> > a counter patch, without atomic ops, since we are protected by napi when 
> > modifying this variable.
> > 
> > Originally From: Neil Horman <nhorman@tuxdriver.com>
> > Modified by: Jesse Brandeburg <jesse.brandeburg@intel.com>
> > 
> > <original message>
> > Hey all-
> > 	A security discussion was recently given:
> > http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html
> > And a patch that I submitted awhile back was brought up.  Apparently some of
> > their testing revealed that they were able to force a buffer fragment in e1000
> > in which the trailing fragment was greater than 4 bytes.  As a result the
> > fragment check I introduced failed to detect the fragement and a partial
> > invalid frame was passed up into the network stack.  I've written this patch
> > to correct it.  I'm in the process of testing it now, but it makes good
> > logical sense to me.  Effectively it maintains a per-adapter state variable
> > which detects a non-EOP frame, and discards it and subsequent non-EOP frames
> > leading up to _and_ _including_ the next positive-EOP frame (as it is by
> > definition the last fragment).  This should prevent any and all partial frames
> > from entering the network stack from e1000.
> > 
> > Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
> 
> I would like to withdraw this patch, at least for 2.6.32+ e1000 and e1000e 
> are both not susceptible to this attack.  We have verified the below with 
> testing, including code modifications to guarantee the correct paths were 
> taken when receiving overlong frames.
[...]
> I believe RedHat has not backported this patch, and kernels <= 2.6.31 
> still need the fix, so both need some version of this workaround, but 
> 2.6.32 does not.
[...]

There's also the 2.6.27 stable series, and several long-term supported
distributions.  I'm particularly interested in getting a patch for
Debian 5.0's kernel based on 2.6.26.  Please advise what would be a
suitable change for the older kernel versions.

Ben.

-- 
Ben Hutchings
The generation of random numbers is too important to be left to chance.
                                                            - Robert Coveyou

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]

next prev parent reply	other threads:[~2010-01-13  2:04 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-12-28 20:10 [PATCH] e1000: enhance frame fragment detection Neil Horman
2009-12-29  0:42 ` Jeff Kirsher
2009-12-29  1:14   ` Neil Horman
2010-01-05 21:44 ` Brandeburg, Jesse
2010-01-05 22:04   ` Neil Horman
2010-01-06 23:27   ` Brandeburg, Jesse
2010-01-07  0:56     ` Neil Horman
2010-01-13  1:56     ` Brandeburg, Jesse
2010-01-13  2:04       ` Ben Hutchings [this message]
2010-01-13  2:12       ` Neil Horman
2010-01-13  2:47         ` Brandeburg, Jesse
2010-01-13  3:33           ` Neil Horman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1263348271.3852.74.camel@localhost \
    --to=ben@decadent.org.uk \
    --cc=bruce.w.allan@intel.com \
    --cc=davem@davemloft.net \
    --cc=e1000-devel@lists.sourceforge.net \
    --cc=jeffrey.t.kirsher@intel.com \
    --cc=jesse.brandeburg@intel.com \
    --cc=john.ronciak@intel.com \
    --cc=netdev@vger.kernel.org \
    --cc=nhorman@tuxdriver.com \
    --cc=peter.p.waskiewicz.jr@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.