linux/drivers/net
Neil Horman c0cd884af0 r8169: offical fix for CVE-2009-4537 (overlength frame DMAs)
Official patch to fix the r8169 frame length check error.

Based on this initial thread:
http://marc.info/?l=linux-netdev&m=126202972828626&w=1
This is the official patch to fix the frame length problems in the r8169
driver.  As noted in the previous thread, while this patch incurs a performance
hit on the driver, its possible to improve performance dynamically by updating
the mtu and rx_copybreak values at runtime to return performance to what it was
for those NICS which are unaffected by the ideosyncracy (if there are any).

Summary:

    A while back Eric submitted a patch for r8169 in which the proper
allocated frame size was written to RXMaxSize to prevent the NIC from dmaing too
much data.  This was done in commit fdd7b4c330.  A
long time prior to that however, Francois posted
126fa4b9ca, which expiclitly disabled the MaxSize
setting due to the fact that the hardware behaved in odd ways when overlong
frames were received on NIC's supported by this driver.  This was mentioned in a
security conference recently:
http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html

It seems that if we can't enable frame size filtering, then, as Eric correctly
noticed, we can find ourselves DMA-ing too much data to a buffer, causing
corruption.  As a result is seems that we are forced to allocate a frame which
is ready to handle a maximally sized receive.

This obviously has performance issues with it, so to mitigate that issue, this
patch does two things:

1) Raises the copybreak value to the frame allocation size, which should force
appropriately sized packets to get allocated on rx, rather than a full new 16k
buffer.

2) This patch only disables frame filtering initially (i.e., during the NIC
open), changing the MTU results in ring buffer allocation of a size in relation
to the new mtu (along with a warning indicating that this is dangerous).

Because of item (2), individuals who can't cope with the performance hit (or can
otherwise filter frames to prevent the bug), or who have hardware they are sure
is unaffected by this issue, can manually lower the copybreak and reset the mtu
such that performance is restored easily.

Signed-off-by: Neil Horman <nhorman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-03-29 13:16:02 -07:00
..
appletalk
arcnet
arm
atl1c
atl1e
atlx
benet
bonding
can
chelsio
cris
cxgb3
e1000
e1000e
ehea
enic
fs_enet
hamradio
ibm_newemac
igb
igbvf
irda
ixgb
ixgbe
ixgbevf
ixp2000
mlx4
myri10ge
netxen
octeon
pcmcia
phy
qlcnic
qlge
sfc
skfp
stmmac
tokenring
tulip
usb
vmxnet3
vxge
wan
wimax
wireless
3c59x.c
3c501.c
3c501.h
3c503.c
3c503.h
3c505.c
3c505.h
3c507.c
3c509.c
3c515.c
3c523.c
3c523.h
3c527.c
3c527.h
7990.c
7990.h
8139cp.c
8139too.c
8390.c
8390.h
8390p.c
82596.c
a2065.c
a2065.h
ac3200.c
acenic.c
acenic.h
amd8111e.c
amd8111e.h
apne.c
ariadne.c
ariadne.h
at1700.c
atarilance.c
atp.c
atp.h
au1000_eth.c
au1000_eth.h
ax88796.c
b44.c
b44.h
bcm63xx_enet.c
bcm63xx_enet.h
bfin_mac.c
bfin_mac.h
bmac.c
bmac.h
bnx2_fw.h
bnx2.c
bnx2.h
bnx2x_dump.h
bnx2x_fw_defs.h
bnx2x_fw_file_hdr.h
bnx2x_hsi.h
bnx2x_init_ops.h
bnx2x_init.h
bnx2x_link.c
bnx2x_link.h
bnx2x_main.c
bnx2x_reg.h
bnx2x.h
bsd_comp.c
cassini.c
cassini.h
cnic_defs.h
cnic_if.h
cnic.c
cnic.h
cpmac.c
cs89x0.c
cs89x0.h
davinci_emac.c
de600.c
de600.h
de620.c
de620.h
declance.c
defxx.c
defxx.h
depca.c
depca.h
dl2k.c
dl2k.h
dm9000.c
dm9000.h
dnet.c
dnet.h
dummy.c
e100.c
e2100.c
eepro.c
eexpress.c
eexpress.h
enc28j60_hw.h
enc28j60.c
epic100.c
eql.c
es3210.c
eth16i.c
ethoc.c
ewrk3.c
ewrk3.h
fealnx.c
fec_mpc52xx_phy.c
fec_mpc52xx.c
fec_mpc52xx.h
fec.c
fec.h
forcedeth.c
fsl_pq_mdio.c
fsl_pq_mdio.h
gianfar_ethtool.c
gianfar_sysfs.c
gianfar.c
gianfar.h
greth.c
greth.h
hamachi.c
hp100.c
hp100.h
hp-plus.c
hp.c
hplance.c
hplance.h
hydra.c
ibmlana.c
ibmlana.h
ibmveth.c
ibmveth.h
ifb.c
ioc3-eth.c
ipg.c
ipg.h
iseries_veth.c
jazzsonic.c
jme.c
jme.h
Kconfig
korina.c
ks8842.c
ks8851_mll.c
ks8851.c
ks8851.h
ksz884x.c
lance.c
lasi_82596.c
lib8390.c
lib82596.c
LICENSE.SRC
ll_temac_main.c
ll_temac_mdio.c
ll_temac.h
lne390.c
loopback.c
lp486e.c
mac89x0.c
mac8390.c
macb.c
macb.h
mace.c
mace.h
macmace.c
macsonic.c
macvlan.c
macvtap.c
Makefile
mdio.c
meth.c
meth.h
mii.c
mipsnet.c
mv643xx_eth.c
mvme147.c
myri_sbus.c
myri_sbus.h
natsemi.c
ne2.c
ne2k-pci.c
ne3210.c
ne-h8300.c
ne.c
netconsole.c
netx-eth.c
ni52.c
ni52.h
ni65.c
ni65.h
ni5010.c
ni5010.h
niu.c
niu.h
ns83820.c
pasemi_mac_ethtool.c
pasemi_mac.c
pasemi_mac.h
pci-skeleton.c
pcnet32.c
plip.c
ppp_async.c
ppp_deflate.c
ppp_generic.c
ppp_mppe.c
ppp_mppe.h
ppp_synctty.c
pppoe.c
pppol2tp.c
pppox.c
ps3_gelic_net.c
ps3_gelic_net.h
ps3_gelic_wireless.c
ps3_gelic_wireless.h
qla3xxx.c
qla3xxx.h
r6040.c
r8169.c r8169: offical fix for CVE-2009-4537 (overlength frame DMAs) 2010-03-29 13:16:02 -07:00
rionet.c
rrunner.c
rrunner.h
s2io-regs.h
s2io.c
s2io.h
s6gmac.c
sb1000.c
sb1250-mac.c
sc92031.c
seeq8005.c
seeq8005.h
sgiseeq.c
sgiseeq.h
sh_eth.c
sh_eth.h
sis190.c
sis900.c
sis900.h
skge.c
skge.h
sky2.c
sky2.h
slhc.c
slip.c
slip.h
smc91x.c
smc91x.h
smc911x.c
smc911x.h
smc9194.c
smc9194.h
smc-mca.c
smc-ultra32.c
smc-ultra.c
smsc911x.c
smsc911x.h
smsc9420.c
smsc9420.h
sni_82596.c
sonic.c
sonic.h
Space.c
spider_net_ethtool.c
spider_net.c
spider_net.h
starfire.c
stnic.c
sun3_82586.c
sun3_82586.h
sun3lance.c
sunbmac.c
sunbmac.h
sundance.c
sungem_phy.c
sungem_phy.h
sungem.c
sungem.h
sunhme.c
sunhme.h
sunlance.c
sunqe.c
sunqe.h
sunvnet.c
sunvnet.h
tc35815.c
tehuti.c
tehuti.h
tg3.c
tg3.h
tlan.c
tlan.h
tsi108_eth.c
tsi108_eth.h
tun.c
typhoon.c
typhoon.h
ucc_geth_ethtool.c
ucc_geth.c
ucc_geth.h
veth.c
via-rhine.c
via-velocity.c
via-velocity.h
virtio_net.c
wd.c
xen-netfront.c
xilinx_emaclite.c
xtsonic.c
yellowfin.c
znet.c
zorro8390.c