Bug 502981 (CVE-2009-1385)

Summary: CVE-2009-1385 kernel: e1000_clean_rx_irq() denial of service
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: atangrin, bhu, bressers, cwebster, dhoward, jiabwang, jpirko, lgoncalv, lwang, mcoffey, nhorman, nobody, peterm, security-response-team, tao, vgoyal, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: reported=20090528,public=20070425,source=issuetracker,impact=important,cvss2=7.1/AV:N/AC:M/Au:N/C:N/I:N/A:C,cwe=CWE-190->CWE-119
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-23 00:39:02 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 502982, 502983, 503438, 503439, 503440, 503441, 549234    
Bug Blocks:    

Comment 13 Eugene Teo (Security Response) 2009-06-01 00:05:24 EDT
This bug was fixed in http://sourceforge.net/projects/e1000 since release 7.5.5 (2007-04-25 22:15), but not in upstream kernel.

http://sourceforge.net/project/shownotes.php?release_id=504022&group_id=42302
Notes:
 * fix panic on changing MTU under stress
Comment 16 Eugene Teo (Security Response) 2009-06-02 21:09:42 EDT
Patch to fix bad length checking in e1000.  E1000 by default does two things:

1) Spans rx descriptors for packets that don't fit into 1 skb on recieve
2) Strips the crc from a frame by subtracting 4 bytes from the length prior to doing an skb_put

Since the e1000 driver isn't written to support receiving packets that span multiple rx buffers, it checks the End of Packet bit of every frame, and discards it if its not set.  This places us in a situation where, if we have a spanning packet, the first part is discarded, but the second part is not (since it is the end of packet, and it passes the EOP bit test).  If the second part of the frame is small (4 bytes or less), we subtract 4 from it to remove its crc, underflow the length, and wind up in skb_over_panic, when we try to skb_put a huge number of bytes into the skb.  This amounts to a remote DOS attack through careful selection of frame size in relation to interface MTU.  The fix for this is already in the e1000e driver, as well as the e1000 sourceforge driver, but no one ever pushed it to e1000.  This is lifted straight from e1000e, and prevents small frames from causing the underflow described above.

Upstream commit:
http://git.kernel.org/linus/ea30e11970a96cfe5e32c03a29332554573b4a10

This bug was fixed in http://sourceforge.net/projects/e1000 since release 7.5.5
(2007-04-25 22:15), but not in upstream kernel.

http://sourceforge.net/project/shownotes.php?release_id=504022&group_id=42302
Notes:
 * fix panic on changing MTU under stress
Comment 19 Fedora Update System 2009-06-18 18:08:01 EDT
kernel-2.6.27.25-78.2.56.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/kernel-2.6.27.25-78.2.56.fc9
Comment 20 Fedora Update System 2009-06-22 07:59:26 EDT
kernel-2.6.27.25-170.2.72.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.25-170.2.72.fc10
Comment 21 Fedora Update System 2009-06-24 15:17:59 EDT
kernel-2.6.27.25-170.2.72.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2009-06-24 15:23:01 EDT
kernel-2.6.29.5-191.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2009-06-24 15:35:21 EDT
kernel-2.6.27.25-78.2.56.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 errata-xmlrpc 2009-06-30 04:06:06 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1132 https://rhn.redhat.com/errata/RHSA-2009-1132.html
Comment 25 errata-xmlrpc 2009-07-14 15:11:11 EDT
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1157 https://rhn.redhat.com/errata/RHSA-2009-1157.html
Comment 26 wang jiabo 2009-07-29 23:14:23 EDT
I reproduce the bug on kernel-2.6.18-128.2.1.el5.x86_64,
and verify that kernel-2.6.18-128.4.1.el5.x86_64 can fix the bug.
my test environment:  cisco 3550 switch, 2 intel 82541PI GE NIC, 2 devices.
Comment 27 errata-xmlrpc 2009-08-04 09:15:24 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1193 https://rhn.redhat.com/errata/RHSA-2009-1193.html
Comment 30 errata-xmlrpc 2009-11-03 17:03:15 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1550 https://rhn.redhat.com/errata/RHSA-2009-1550.html
Comment 33 errata-xmlrpc 2010-02-02 16:01:41 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.2 Z Stream

Via RHSA-2010:0079 https://rhn.redhat.com/errata/RHSA-2010-0079.html
Comment 36 Wade Mealing 2014-09-23 00:39:02 EDT
This seems to have been entirely covered by the errata.  

All bugs for specific bugs for tracking releases seem to have been shipped. I'm closing this as errata.  Please re-open if you believe i have missed anything.