| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Mar 2012 09:05:40 +0200
From: Raffaele Recalcati <raffaele.recalcati@...cino.it>
To: Eric Dumazet <eric.dumazet@...il.com>
Cc: Davide Ciminaghi <ciminaghi@...dd.com>,
"David S. Miller" <davem@...emloft.net>,
Alexey Dobriyan <adobriyan@...il.com>,
Thomas Meyer <thomas@...3r.de>,
Wan ZongShun <mcuos.com@...il.com>,
Lucas De Marchi <lucas.demarchi@...fusion.mobi>,
netdev@...r.kernel.org
Subject: Re: [PATCH] net/ethernet: ks8851_mll fix rx frame buffer overflow
Hi Eric,
On 07:39 Tue 27 Mar , Eric Dumazet wrote:
> Le mardi 27 mars 2012 à 15:01 +0200, Davide Ciminaghi a écrit :
> > If interrupts are disabled long enough to allow for more than
> > 32 frames to accumulate in the MAC's internal buffers, a buffer
> > overflow occurs. This patch fixes the problem by making the
> > driver's frame_head_info buffer bigger enough.
> >
> > Signed-off-by: Davide Ciminaghi <ciminaghi@...dd.com>
> > Signed-off-by: Raffaele Recalcati <raffaele.recalcati@...cino.it>
> > ---
> > drivers/net/ethernet/micrel/ks8851_mll.c | 2 +-
> > 1 files changed, 1 insertions(+), 1 deletions(-)
> >
> > diff --git a/drivers/net/ethernet/micrel/ks8851_mll.c b/drivers/net/ethernet/micrel/ks8851_mll.c
> > index 2784bc7..a158e89 100644
> > --- a/drivers/net/ethernet/micrel/ks8851_mll.c
> > +++ b/drivers/net/ethernet/micrel/ks8851_mll.c
> > @@ -40,7 +40,7 @@
> > #define DRV_NAME "ks8851_mll"
> >
> > static u8 KS_DEFAULT_MAC_ADDRESS[] = { 0x00, 0x10, 0xA1, 0x86, 0x95, 0x11 };
> > -#define MAX_RECV_FRAMES 32
> > +#define MAX_RECV_FRAMES 256
> > #define MAX_BUF_SIZE 2048
> > #define TX_BUF_SIZE 2000
> > #define RX_BUF_SIZE 2000
>
> How can this fix the problem for good ?
You can see in ks_rcv function,
ks->frame_cnt = ks_rdreg16(ks, KS_RXFCTR) >> 8;
so "RXFC RX Frame Count" is a byte, maximum 256 total frames.
but we have the threshold ..
As you can see also in ks_setup the
/* Setup Receive Frame Threshold - 1 frame (RXFCTFC) */
ks_wrreg16(ks, KS_RXFCTR, 1 & RXFCTR_THRESHOLD_MASK);
In conclusion what happen is that if we stop system interrupts for a while,
when we are back the ks_rcv function starts reading the frames, and
the
while (ks->frame_cnt--) {
..
frame_hdr++;
}
loop goes out of the malloc'ed area.
We experienced so strange bugs in the last weeks that we are so happy that it seems fixed, but I need
some weeks to confirm it is robust enough.
The 'load setup' is like the following:
- nfs rootfs
- host $ sudo ping -f $TARGET_IP_ADDRESS
- host $ scp -r BIG_DIR user@...RGET_IP_ADDRESS:
But I'm not sure to create the bug in a mathematical way, it seems to depend on packets on the corporate lan.
Surely if I stop with jtag and restart after some seconds I have buffer overflow, with same errors in ram that I
obtain randomically with 'load setup'.
Hoping it helps,
Raffaele
>
>
>
Ce message, ainsi que tous les fichiers joints à ce message,
peuvent contenir des informations sensibles et/ ou confidentielles
ne devant pas être divulguées. Si vous n'êtes pas le destinataire
de ce message (ou que vous recevez ce message par erreur), nous
vous remercions de le notifier immédiatement à son expéditeur, et
de détruire ce message. Toute copie, divulgation, modification,
utilisation ou diffusion, non autorisée, directe ou indirecte, de
tout ou partie de ce message, est strictement interdite.
This e-mail, and any document attached hereby, may contain
confidential and/or privileged information. If you are not the
intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any
unauthorized, direct or indirect, copying, disclosure, distribution
or other use of the material or parts thereof is strictly
forbidden.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists