Message-ID: <4A2D2906.6090002@gmail.com>
Date: Mon, 08 Jun 2009 17:06:46 +0200
From: Eric Dumazet <eric.dumazet@gmail.com>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Michael Tokarev <mjt@tls.msk.ru>
CC: Linux-kernel <linux-kernel@vger.kernel.org>,
       netdev <netdev@vger.kernel.org>
Subject: Re: [Security, resend] Instant crash with rtl8169 and large packets
References: <4A2D1147.8020101@msgid.tls.msk.ru> <4A2D1FE4.5030100@gmail.com> <4A2D25F6.9080300@msgid.tls.msk.ru>
In-Reply-To: <4A2D25F6.9080300@msgid.tls.msk.ru>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 3009
Lines: 91

Michael Tokarev a ?crit :
> Thank you Eric for the reply.
> 
> Eric Dumazet wrote:
>> Michael Tokarev a ?crit :
> []
>>> The situation is very simple: with an RTL8169 (probably
>>> onboard) GigE card which, by default, is configured to
>>> have MTU (maximal transmission unit) to be 1500 bytes,
>>> it's *trivial* to instantly crash the machine by sending
>>> it a *single* packet of size >1500 bytes (provided the
>>> network switch can handle jumbo frames).
> []
>>>  http://www.corpit.ru/mjt/r8169-mtu-oops.jpg
> 
>> I suppose you use a recent kernel ?
> 
> http://marc.info/?t=123462473200002 -- here's my first attempt,
> at Feb this year.  It was 2.6.27 or so.  Right now I'm running
> 2.6.29[.4].  So I think yes, I use a recent kernel.
> 
>> Could you please try following patch ?
> []
>> diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
>> index e94316b..c08b97a 100644
>> --- a/drivers/net/r8169.c
>> +++ b/drivers/net/r8169.c
>> @@ -3468,7 +3468,7 @@ static int rtl8169_rx_interrupt(struct
>> net_device *dev,
>>  
>>          if (status & DescOwn)
>>              break;
>> -        if (unlikely(status & RxRES)) {
>> +        if (unlikely(status & (RxRES | RxRWT | RxRUNT | RxCRC |
>> RxFOVF))) {
>>              if (netif_msg_rx_err(tp)) {
>>                  printk(KERN_INFO
>>                         "%s: Rx ERROR. status = %08x\n",
> 
> Tried that one, got no printk (at least not a visible one) and exactly
> the same OOPS as before.  Trivial test with
> 
>   ping -c1 -s3000 $my_ip_addr
> 
> (learned to add -c1 because the previous time my machine crashed several
> times
> in a row till I figured out what's going on and unplugged the ethernet
> cord --
> even if ping were running from an xterm executed from the machine to
> which I
> were pinging to! :)
> 
> Also got ext4fs corruption when rebooted (it's a staging area so nothing
> important
> is there but still.. "interesting").
> 
> Also tried 32bit kernel (were using 64bits -- exactly the same result).
> 
> I wish I had a serial cable or even a serial port on this machine....
> But I guess
> it'd not help anyway, because the machine locks hard.
> 
> Thanks!
> 
> /mjt

OK, 2nd try then :)

Thanks

diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
index e94316b..9080b08 100644
--- a/drivers/net/r8169.c
+++ b/drivers/net/r8169.c
@@ -3495,7 +3495,8 @@ static int rtl8169_rx_interrupt(struct net_device *dev,
 			 * frames. They are seen as a symptom of over-mtu
 			 * sized frames.
 			 */
-			if (unlikely(rtl8169_fragmented_frame(status))) {
+			if (unlikely(rtl8169_fragmented_frame(status) ||
+				     (unsigned int)pkt_size > tp->rx_buf_sz)) {
 				dev->stats.rx_dropped++;
 				dev->stats.rx_length_errors++;
 				rtl8169_mark_to_asic(desc, tp->rx_buf_sz);


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/