From: Nicolas Thill <nico@openwrt.org>
Date: Thu, 16 Jul 2009 07:12:59 +0000 (+0000)
Subject: [kernel] fix buffer overflow in RTL8169 NIC driver
X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fsvn-archive%2Farchive.git;a=commitdiff_plain;h=e69c6d6e6f4e20a94513c5c1c49b465c6da06688

[kernel] fix buffer overflow in RTL8169 NIC driver
 - CVE-2009-1389


SVN-Revision: 16857
---

diff --git a/target/linux/generic-2.6/patches-2.6.23/995-cve-2009-1389.patch b/target/linux/generic-2.6/patches-2.6.23/995-cve-2009-1389.patch
new file mode 100644
index 0000000000..573cf6db76
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.23/995-cve-2009-1389.patch
@@ -0,0 +1,52 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1389
+
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -80,7 +80,6 @@ static const int multicast_filter_limit 
+ #define RX_DMA_BURST	6	/* Maximum PCI burst, '6' is 1024 */
+ #define TX_DMA_BURST	6	/* Maximum PCI burst, '6' is 1024 */
+ #define EarlyTxThld	0x3F	/* 0x3F means NO early transmit */
+-#define RxPacketMaxSize	0x3FE8	/* 16K - 1 - ETH_HLEN - VLAN - CRC... */
+ #define SafeMtu		0x1c20	/* ... actually life sucks beyond ~7k */
+ #define InterFrameGap	0x03	/* 3 means InterFrameGap = the shortest one */
+ 
+@@ -1866,10 +1865,10 @@ static u16 rtl_rw_cpluscmd(void __iomem 
+ 	return cmd;
+ }
+ 
+-static void rtl_set_rx_max_size(void __iomem *ioaddr)
++static void rtl_set_rx_max_size(void __iomem *ioaddr, unsigned int rx_buf_sz)
+ {
+ 	/* Low hurts. Let's disable the filtering. */
+-	RTL_W16(RxMaxSize, 16383);
++	RTL_W16(RxMaxSize, rx_buf_sz);
+ }
+ 
+ static void rtl8169_set_magic_reg(void __iomem *ioaddr, unsigned mac_version)
+@@ -1916,7 +1915,7 @@ static void rtl_hw_start_8169(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	if ((tp->mac_version == RTL_GIGA_MAC_VER_01) ||
+ 	    (tp->mac_version == RTL_GIGA_MAC_VER_02) ||
+@@ -1980,7 +1979,7 @@ static void rtl_hw_start_8168(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	rtl_set_rx_tx_config_registers(tp);
+ 
+@@ -2033,7 +2032,7 @@ static void rtl_hw_start_8101(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW;
+ 
diff --git a/target/linux/generic-2.6/patches-2.6.24/995-cve-2009-1389.patch b/target/linux/generic-2.6/patches-2.6.24/995-cve-2009-1389.patch
new file mode 100644
index 0000000000..073b5475d8
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.24/995-cve-2009-1389.patch
@@ -0,0 +1,52 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1389
+
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -81,7 +81,6 @@ static const int multicast_filter_limit 
+ #define RX_DMA_BURST	6	/* Maximum PCI burst, '6' is 1024 */
+ #define TX_DMA_BURST	6	/* Maximum PCI burst, '6' is 1024 */
+ #define EarlyTxThld	0x3F	/* 0x3F means NO early transmit */
+-#define RxPacketMaxSize	0x3FE8	/* 16K - 1 - ETH_HLEN - VLAN - CRC... */
+ #define SafeMtu		0x1c20	/* ... actually life sucks beyond ~7k */
+ #define InterFrameGap	0x03	/* 3 means InterFrameGap = the shortest one */
+ 
+@@ -1980,10 +1979,10 @@ static u16 rtl_rw_cpluscmd(void __iomem 
+ 	return cmd;
+ }
+ 
+-static void rtl_set_rx_max_size(void __iomem *ioaddr)
++static void rtl_set_rx_max_size(void __iomem *ioaddr, unsigned int rx_buf_sz)
+ {
+ 	/* Low hurts. Let's disable the filtering. */
+-	RTL_W16(RxMaxSize, 16383);
++	RTL_W16(RxMaxSize, rx_buf_sz);
+ }
+ 
+ static void rtl8169_set_magic_reg(void __iomem *ioaddr, unsigned mac_version)
+@@ -2030,7 +2029,7 @@ static void rtl_hw_start_8169(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	if ((tp->mac_version == RTL_GIGA_MAC_VER_01) ||
+ 	    (tp->mac_version == RTL_GIGA_MAC_VER_02) ||
+@@ -2094,7 +2093,7 @@ static void rtl_hw_start_8168(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	rtl_set_rx_tx_config_registers(tp);
+ 
+@@ -2148,7 +2147,7 @@ static void rtl_hw_start_8101(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW;
+ 
diff --git a/target/linux/generic-2.6/patches-2.6.25/995-cve-2009-1389.patch b/target/linux/generic-2.6/patches-2.6.25/995-cve-2009-1389.patch
new file mode 100644
index 0000000000..a37deffd52
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.25/995-cve-2009-1389.patch
@@ -0,0 +1,52 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1389
+
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -81,7 +81,6 @@ static const int multicast_filter_limit 
+ #define RX_DMA_BURST	6	/* Maximum PCI burst, '6' is 1024 */
+ #define TX_DMA_BURST	6	/* Maximum PCI burst, '6' is 1024 */
+ #define EarlyTxThld	0x3F	/* 0x3F means NO early transmit */
+-#define RxPacketMaxSize	0x3FE8	/* 16K - 1 - ETH_HLEN - VLAN - CRC... */
+ #define SafeMtu		0x1c20	/* ... actually life sucks beyond ~7k */
+ #define InterFrameGap	0x03	/* 3 means InterFrameGap = the shortest one */
+ 
+@@ -1982,10 +1981,10 @@ static u16 rtl_rw_cpluscmd(void __iomem 
+ 	return cmd;
+ }
+ 
+-static void rtl_set_rx_max_size(void __iomem *ioaddr)
++static void rtl_set_rx_max_size(void __iomem *ioaddr, unsigned int rx_buf_sz)
+ {
+ 	/* Low hurts. Let's disable the filtering. */
+-	RTL_W16(RxMaxSize, 16383);
++	RTL_W16(RxMaxSize, rx_buf_sz);
+ }
+ 
+ static void rtl8169_set_magic_reg(void __iomem *ioaddr, unsigned mac_version)
+@@ -2032,7 +2031,7 @@ static void rtl_hw_start_8169(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	if ((tp->mac_version == RTL_GIGA_MAC_VER_01) ||
+ 	    (tp->mac_version == RTL_GIGA_MAC_VER_02) ||
+@@ -2096,7 +2095,7 @@ static void rtl_hw_start_8168(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	rtl_set_rx_tx_config_registers(tp);
+ 
+@@ -2150,7 +2149,7 @@ static void rtl_hw_start_8101(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW;
+ 
diff --git a/target/linux/generic-2.6/patches-2.6.26/995-cve-2009-1389.patch b/target/linux/generic-2.6/patches-2.6.26/995-cve-2009-1389.patch
new file mode 100644
index 0000000000..a37deffd52
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.26/995-cve-2009-1389.patch
@@ -0,0 +1,52 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1389
+
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -81,7 +81,6 @@ static const int multicast_filter_limit 
+ #define RX_DMA_BURST	6	/* Maximum PCI burst, '6' is 1024 */
+ #define TX_DMA_BURST	6	/* Maximum PCI burst, '6' is 1024 */
+ #define EarlyTxThld	0x3F	/* 0x3F means NO early transmit */
+-#define RxPacketMaxSize	0x3FE8	/* 16K - 1 - ETH_HLEN - VLAN - CRC... */
+ #define SafeMtu		0x1c20	/* ... actually life sucks beyond ~7k */
+ #define InterFrameGap	0x03	/* 3 means InterFrameGap = the shortest one */
+ 
+@@ -1982,10 +1981,10 @@ static u16 rtl_rw_cpluscmd(void __iomem 
+ 	return cmd;
+ }
+ 
+-static void rtl_set_rx_max_size(void __iomem *ioaddr)
++static void rtl_set_rx_max_size(void __iomem *ioaddr, unsigned int rx_buf_sz)
+ {
+ 	/* Low hurts. Let's disable the filtering. */
+-	RTL_W16(RxMaxSize, 16383);
++	RTL_W16(RxMaxSize, rx_buf_sz);
+ }
+ 
+ static void rtl8169_set_magic_reg(void __iomem *ioaddr, unsigned mac_version)
+@@ -2032,7 +2031,7 @@ static void rtl_hw_start_8169(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	if ((tp->mac_version == RTL_GIGA_MAC_VER_01) ||
+ 	    (tp->mac_version == RTL_GIGA_MAC_VER_02) ||
+@@ -2096,7 +2095,7 @@ static void rtl_hw_start_8168(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	rtl_set_rx_tx_config_registers(tp);
+ 
+@@ -2150,7 +2149,7 @@ static void rtl_hw_start_8101(struct net
+ 
+ 	RTL_W8(EarlyTxThres, EarlyTxThld);
+ 
+-	rtl_set_rx_max_size(ioaddr);
++	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+ 
+ 	tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW;
+