lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1263088638.2480.210.camel@localhost>
Date:	Sun, 10 Jan 2010 01:57:18 +0000
From:	Ben Hutchings <ben@...adent.org.uk>
To:	David Miller <davem@...emloft.net>
Cc:	romieu@...zoreil.com, eric.dumazet@...il.com,
	nhorman@...driver.com, netdev@...r.kernel.org
Subject: Re: [PATCH RFC] r8169: straighten out overlength frame detection
 (v3)

On Fri, 2010-01-08 at 16:02 -0800, David Miller wrote:
[...]
> Whilst the above will end up gobbling up to (16K - BIG_PACKET_SZ)
> worth of innocent frames, the DMA engine seems to keep things at least
> self-consistent.
> 
> The only bug seems to be the omission of the LastFrag trigger at the
> proper place.

No, the attacker controls the completion status by writing it in
previous valid frames.  Please read the slides
(<http://events.ccc.de/congress/2009/Fahrplan/attachments/1483_26c3_ipv4_fuckups.pdf> pages 80-87).

I suspect that:
1. There is an internal ring buffer for RX DMA containing both frame
payload and completion status
2. When a frame is (slightly?) over-length, the ingress and egress logic
can disagree about the length of payload in the buffer
3. This results in stale data (usually frame payload) being written to
memory as the completion status

It is conceivable that the bug can be avoided simply by rounding the 
RxMaxSize.

[...]
> Therefore we shouldn't need to change anything and there is actually
> no "bug" or "exploit" at all.  We just end up dropping some RX frames
> because the chip didn't DMA them properly.

The intent of the exploit is precisely to cause other packets to be
dropped!

Ben.

-- 
Ben Hutchings
Theory and practice are closer in theory than in practice.
                                - John Levine, moderator of comp.compilers

Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ