Re: [PATCH net 2/2] r8152: rx descriptor check

From: Francois Romieu
Date: Mon Nov 14 2016 - 20:11:00 EST


Hayes Wang <hayeswang@xxxxxxxxxxx> :
> Francois Romieu [mailto:romieu@xxxxxxxxxxxxx]
> > Sent: Friday, November 11, 2016 8:13 PM
> [...]
> > Invalid packet size corrupted receive descriptors in Realtek's device
> > reminds of CVE-2009-4537.
>
> Do you mean that the driver would get a packet exceed the size
> which is set to RxMaxSize ?

If it was possible to get it wrong once, it should be possible to
get it wrong twice, especially if some part of the hardware design
is recycled. I don't mean anything else.

I won't speculate about some cache consistency issue or some badly
aborted dma transaction to explain the memory corruption.

--
Ueimor