xorl %eax, %eax

CVE-2009-4538: Linux kernel e1000e Remote Integer Underflow

leave a comment »

After the recent massive ownage of Linux kernel’s NIC device drivers by fabs, Eugene Teo of Red Hat noticed that e1000e (Intel PRO/1000) was also vulnerable to an issue similar to CVE-2009-4536. Here is the buggy code as seen in drivers/net/e1000e/netdev.c:

/**
 * e1000_clean_rx_irq - Send received data up the network stack; legacy
 * @adapter: board private structure
 *
 * the return value indicates whether actual cleaning was done, there
 * is no guarantee that everything was cleaned
 **/
static bool e1000_clean_rx_irq(struct e1000_adapter *adapter,
                               int *work_done, int work_to_do)
{
     ...
        u32 length;
     ...
                length = le16_to_cpu(rx_desc->length);

                /* !EOP means multiple descriptors were used to store a single
                 * packet, also make sure the frame isn't just CRC only */
                if (!(status & E1000_RXD_STAT_EOP) || (length <= 4)) {
                        /* All receives must fit into a single buffer */
                        e_dbg("%s: Receive packet consumed multiple buffers\n",
                              netdev->name);
                        /* recycle */
                        buffer_info->skb = skb;
                        goto next_desc;
                }
     ...
                /* adjust length to remove Ethernet CRC */
                if (!(adapter->flags2 & FLAG2_CRC_STRIPPING))
                        length -= 4;

                total_rx_bytes += length;
                total_rx_packets++;
     ...
        return cleaned;
}

Once again, they don’t check the frame that is spanning in a new RX buffer but only the last fragment and if its length is less than, or equal to four. The concept is exactly the same as in CVE-2009-4536, so if you don’t understand it read my previous analysis on the latter vulnerability which is available here.

Written by xorl

January 2, 2010 at 08:00

Posted in bugs, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s