Bug 502981 (CVE-2009-1385) - CVE-2009-1385 kernel: e1000_clean_rx_irq() denial of service
Summary: CVE-2009-1385 kernel: e1000_clean_rx_irq() denial of service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-1385
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 502982 502983 503438 503439 503440 503441 549234
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-28 05:43 UTC by Eugene Teo (Security Response)
Modified: 2019-09-29 12:30 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-23 04:39:02 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1132 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-06-30 08:06:02 UTC
Red Hat Product Errata RHSA-2009:1157 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2009-07-14 19:11:05 UTC
Red Hat Product Errata RHSA-2009:1193 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-08-04 13:15:15 UTC
Red Hat Product Errata RHSA-2009:1550 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-11-03 21:59:47 UTC
Red Hat Product Errata RHSA-2010:0079 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-02-02 21:01:07 UTC

Comment 13 Eugene Teo (Security Response) 2009-06-01 04:05:24 UTC
This bug was fixed in http://sourceforge.net/projects/e1000 since release 7.5.5 (2007-04-25 22:15), but not in upstream kernel.

http://sourceforge.net/project/shownotes.php?release_id=504022&group_id=42302
Notes:
 * fix panic on changing MTU under stress

Comment 16 Eugene Teo (Security Response) 2009-06-03 01:09:42 UTC
Patch to fix bad length checking in e1000.  E1000 by default does two things:

1) Spans rx descriptors for packets that don't fit into 1 skb on recieve
2) Strips the crc from a frame by subtracting 4 bytes from the length prior to doing an skb_put

Since the e1000 driver isn't written to support receiving packets that span multiple rx buffers, it checks the End of Packet bit of every frame, and discards it if its not set.  This places us in a situation where, if we have a spanning packet, the first part is discarded, but the second part is not (since it is the end of packet, and it passes the EOP bit test).  If the second part of the frame is small (4 bytes or less), we subtract 4 from it to remove its crc, underflow the length, and wind up in skb_over_panic, when we try to skb_put a huge number of bytes into the skb.  This amounts to a remote DOS attack through careful selection of frame size in relation to interface MTU.  The fix for this is already in the e1000e driver, as well as the e1000 sourceforge driver, but no one ever pushed it to e1000.  This is lifted straight from e1000e, and prevents small frames from causing the underflow described above.

Upstream commit:
http://git.kernel.org/linus/ea30e11970a96cfe5e32c03a29332554573b4a10

This bug was fixed in http://sourceforge.net/projects/e1000 since release 7.5.5
(2007-04-25 22:15), but not in upstream kernel.

http://sourceforge.net/project/shownotes.php?release_id=504022&group_id=42302
Notes:
 * fix panic on changing MTU under stress

Comment 19 Fedora Update System 2009-06-18 22:08:01 UTC
kernel-2.6.27.25-78.2.56.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/kernel-2.6.27.25-78.2.56.fc9

Comment 20 Fedora Update System 2009-06-22 11:59:26 UTC
kernel-2.6.27.25-170.2.72.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.25-170.2.72.fc10

Comment 21 Fedora Update System 2009-06-24 19:17:59 UTC
kernel-2.6.27.25-170.2.72.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2009-06-24 19:23:01 UTC
kernel-2.6.29.5-191.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2009-06-24 19:35:21 UTC
kernel-2.6.27.25-78.2.56.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 errata-xmlrpc 2009-06-30 08:06:06 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1132 https://rhn.redhat.com/errata/RHSA-2009-1132.html

Comment 25 errata-xmlrpc 2009-07-14 19:11:11 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1157 https://rhn.redhat.com/errata/RHSA-2009-1157.html

Comment 26 wang jiabo 2009-07-30 03:14:23 UTC
I reproduce the bug on kernel-2.6.18-128.2.1.el5.x86_64,
and verify that kernel-2.6.18-128.4.1.el5.x86_64 can fix the bug.
my test environment:  cisco 3550 switch, 2 intel 82541PI GE NIC, 2 devices.

Comment 27 errata-xmlrpc 2009-08-04 13:15:24 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1193 https://rhn.redhat.com/errata/RHSA-2009-1193.html

Comment 30 errata-xmlrpc 2009-11-03 22:03:15 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1550 https://rhn.redhat.com/errata/RHSA-2009-1550.html

Comment 33 errata-xmlrpc 2010-02-02 21:01:41 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.2 Z Stream

Via RHSA-2010:0079 https://rhn.redhat.com/errata/RHSA-2010-0079.html

Comment 36 Wade Mealing 2014-09-23 04:39:02 UTC
This seems to have been entirely covered by the errata.  

All bugs for specific bugs for tracking releases seem to have been shipped. I'm closing this as errata.  Please re-open if you believe i have missed anything.


Note You need to log in before you can comment on or make changes to this bug.