[Security, resend] Instant crash with rtl8169 and large packets

From: Michael Tokarev
Date: Mon Jun 08 2009 - 09:24:22 EST


Hello.

This is a resend (sort of) of several months old email.
Previous email about this issue has been mostly ignored.

The situation is very simple: with an RTL8169 (probably
onboard) GigE card which, by default, is configured to
have MTU (maximal transmission unit) to be 1500 bytes,
it's *trivial* to instantly crash the machine by sending
it a *single* packet of size >1500 bytes (provided the
network switch can handle jumbo frames).

I verified with on several different machines - all I were
able to find with this card - and all behaves exactly the
same.

When sending a packet of size, say, 3000 bytes (ping -s 3000)
from another machine to a machine running rtl8169 with no
MTU configured, kernel OOPSes.

I captured one such OOPS (unfortunately without the first
line few lines) here:

http://www.corpit.ru/mjt/r8169-mtu-oops.jpg

(since the network goes boom at that time, no network console
is working).

But for anyone familiar with the driver's internals it
should be easy to figure the issue out.

This is, in my opinion, quite a serious issue. And I've no
idea why it is being ignored for several months.

Thanks.

/mjt
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/