lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1269901265.8653.408.camel@localhost>
Date:	Mon, 29 Mar 2010 23:21:05 +0100
From:	Ben Hutchings <ben@...adent.org.uk>
To:	David Miller <davem@...emloft.net>
Cc:	nhorman@...driver.com, linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org, michael.s.gilbert@...il.com,
	davem@...emeloft.net, romieu@...zoreil.com, eric.dumazet@...il.com
Subject: Re: [PATCH] r8169: offical fix for CVE-2009-4537 (overlength frame
 DMAs)

On Mon, 2010-03-29 at 15:09 -0700, David Miller wrote:
> From: Ben Hutchings <ben@...adent.org.uk>
> Date: Mon, 29 Mar 2010 23:01:45 +0100
> 
> > It also sucks that the secure but low-performance behaviour is enabled
> > for all variants, while AIUI only some suffer from the bug.  I realise
> > you probably don't have access to every variant (and neither does
> > Francois) but perhaps you could come up with a test case that could be
> > used to start whitelisting common variants that don't have the bug?
> 
> As far as we know all chip variants seem to have the problem.

That's not what I understood from the discussion of the early
back-and-forth changes to receive buffer size.

> Furthermore, this issue has been known about and investigated for
> about 3 months.  In that time no better options for handling this
> issue reliably have been discovered and implemented.
>
> Feel free to code up (and test) something better yourself if you don't
> like the fix as it exists currently. :-)

I would have had a go already, if I actually had some of this hardware
to hand.  Luckily I have managed to avoid buying any so far.  But if
anyone is prepared to loan me a NIC then I promise to have a go at it.

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.

Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ