xorl %eax, %eax

CVE-2010-4263: Linux kernel Intel Gigabit Ethernet Driver NULL Pointer Dereference

leave a comment »

This bug was reported by Krzysztof Mościcki to the Linux kernel’s bugzilla and it affects Linux kernel prior to 2.6.34 release. The susceptible code lies in igb_receive_skb() which is the routine that handles the incoming packets.

/**
 * igb_receive_skb - helper function to handle rx indications
 * @q_vector: structure containing interrupt and ring information
 * @skb: packet to send up
 * @vlan_tag: vlan tag for packet
 **/
static void igb_receive_skb(struct igb_q_vector *q_vector,
                            struct sk_buff *skb,
                            u16 vlan_tag)
{
        struct igb_adapter *adapter = q_vector->adapter;

        if (vlan_tag)
                vlan_gro_receive(&q_vector->napi, adapter->vlgrp,
                                 vlan_tag, skb);
        else
                napi_gro_receive(&q_vector->napi, skb);
}

As we can see, depending on the ‘vlan_tag’ variable it will execute either vlan_gro_receive() or napi_gro_receive() which handle VLAN and common packets respectively. But as it was pointed out, when dealing with a system with CONFIG_PCI_IOV to support virtual PCI devices it could result in a NULL pointer dereference since ‘adapter->vlgrp’ could remain uninitialized if Single Root I/O Virtualization (SR-IOV) and promiscuous mode are enabled on the virtual network device but there are no VLAN registered to it.
To fix this, the following patch was applied.

        struct igb_adapter *adapter = q_vector->adapter;
 
-       if (vlan_tag)
+       if (vlan_tag && adapter->vlgrp)
                vlan_gro_receive(&q_vector->napi, adapter->vlgrp,
                                 vlan_tag, skb);

Written by xorl

January 23, 2011 at 05:23

Posted in bugs, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s