Re: [PATCH net 2/2] r8152: rx descriptor check

From: Francois Romieu
Date: Mon Nov 14 2016 - 20:11:00 EST

Next message: Boqun Feng: "Re: [PATCH tip/core/rcu 3/5] rcu: Abstract dynticks extended quiescent state enter/exit operations"
Previous message: Dan Williams: "Re: [PATCH] mm: disable numa migration faults for dax vmas"
In reply to: Hayes Wang: "RE: [PATCH net 2/2] r8152: rx descriptor check"
Next in thread: David Miller: "Re: [PATCH net 2/2] r8152: rx descriptor check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hayes Wang <hayeswang@xxxxxxxxxxx> :
> Francois Romieu [mailto:romieu@xxxxxxxxxxxxx]
> > Sent: Friday, November 11, 2016 8:13 PM
> [...]
> > Invalid packet size corrupted receive descriptors in Realtek's device
> > reminds of CVE-2009-4537.
>
> Do you mean that the driver would get a packet exceed the size
> which is set to RxMaxSize ?

If it was possible to get it wrong once, it should be possible to
get it wrong twice, especially if some part of the hardware design
is recycled. I don't mean anything else.

I won't speculate about some cache consistency issue or some badly
aborted dma transaction to explain the memory corruption.

--
Ueimor

Next message: Boqun Feng: "Re: [PATCH tip/core/rcu 3/5] rcu: Abstract dynticks extended quiescent state enter/exit operations"
Previous message: Dan Williams: "Re: [PATCH] mm: disable numa migration faults for dax vmas"
In reply to: Hayes Wang: "RE: [PATCH net 2/2] r8152: rx descriptor check"
Next in thread: David Miller: "Re: [PATCH net 2/2] r8152: rx descriptor check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]