From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S941215AbcKOBK5 (ORCPT ); Mon, 14 Nov 2016 20:10:57 -0500 Received: from violet.fr.zoreil.com ([92.243.8.30]:45152 "EHLO violet.fr.zoreil.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S938974AbcKOBKy (ORCPT ); Mon, 14 Nov 2016 20:10:54 -0500 Date: Tue, 15 Nov 2016 02:10:44 +0100 From: Francois Romieu To: Hayes Wang Cc: "netdev@vger.kernel.org" , nic_swsd , "linux-kernel@vger.kernel.org" , "linux-usb@vger.kernel.org" , "mlord@pobox.com" Subject: Re: [PATCH net 2/2] r8152: rx descriptor check Message-ID: <20161115011044.GA13220@electric-eye.fr.zoreil.com> References: <1394712342-15778-226-Taiwan-albertk@realtek.com> <1394712342-15778-228-Taiwan-albertk@realtek.com> <20161111121311.GA19673@electric-eye.fr.zoreil.com> <0835B3720019904CB8F7AA43166CEEB20104EAF8@RTITMBSV03.realtek.com.tw> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0835B3720019904CB8F7AA43166CEEB20104EAF8@RTITMBSV03.realtek.com.tw> X-Organisation: Land of Sunshine Inc. User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hayes Wang : > Francois Romieu [mailto:romieu@fr.zoreil.com] > > Sent: Friday, November 11, 2016 8:13 PM > [...] > > Invalid packet size corrupted receive descriptors in Realtek's device > > reminds of CVE-2009-4537. > > Do you mean that the driver would get a packet exceed the size > which is set to RxMaxSize ? If it was possible to get it wrong once, it should be possible to get it wrong twice, especially if some part of the hardware design is recycled. I don't mean anything else. I won't speculate about some cache consistency issue or some badly aborted dma transaction to explain the memory corruption. -- Ueimor