Author: gordon
Date: Tue Sep 15 21:42:05 2020
New Revision: 365778
URL: https://svnweb.freebsd.org/changeset/base/365778
Log:
Fix ure device driver susceptible to packet-in-packet attack.
Approved by: so
Approved by: re (implicit for releng/12.2)
Security: FreeBSD-SA-20:27.ure
Security: CVE-2020-7464
Modified:
releng/11.3/sys/dev/usb/net/if_ure.c
releng/11.4/sys/dev/usb/net/if_ure.c
releng/12.1/sys/dev/usb/net/if_ure.c
releng/12.2/sys/dev/usb/net/if_ure.c
Modified: releng/11.3/sys/dev/usb/net/if_ure.c
==============================================================================
--- releng/11.3/sys/dev/usb/net/if_ure.c Tue Sep 15 21:28:47 2020
(r365777)
+++ releng/11.3/sys/dev/usb/net/if_ure.c Tue Sep 15 21:42:05 2020
(r365778)
@@ -710,7 +710,9 @@ ure_init(struct usb_ether *ue)
~URE_RXDY_GATED_EN);
/* Set Rx mode. */
- rxmode = URE_RCR_APM;
+ rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA);
+ rxmode &= ~URE_RCR_ACPT_ALL;
+ rxmode |= URE_RCR_APM;
/* If we want promiscuous mode, set the allframes bit. */
if (ifp->if_flags & IFF_PROMISC)
Modified: releng/11.4/sys/dev/usb/net/if_ure.c
==============================================================================
--- releng/11.4/sys/dev/usb/net/if_ure.c Tue Sep 15 21:28:47 2020
(r365777)
+++ releng/11.4/sys/dev/usb/net/if_ure.c Tue Sep 15 21:42:05 2020
(r365778)
@@ -710,7 +710,9 @@ ure_init(struct usb_ether *ue)
~URE_RXDY_GATED_EN);
/* Set Rx mode. */
- rxmode = URE_RCR_APM;
+ rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA);
+ rxmode &= ~URE_RCR_ACPT_ALL;
+ rxmode |= URE_RCR_APM;
/* If we want promiscuous mode, set the allframes bit. */
if (ifp->if_flags & IFF_PROMISC)
Modified: releng/12.1/sys/dev/usb/net/if_ure.c
==============================================================================
--- releng/12.1/sys/dev/usb/net/if_ure.c Tue Sep 15 21:28:47 2020
(r365777)
+++ releng/12.1/sys/dev/usb/net/if_ure.c Tue Sep 15 21:42:05 2020
(r365778)
@@ -784,9 +784,10 @@ ure_rxfilter(struct usb_ether *ue)
URE_LOCK_ASSERT(sc, MA_OWNED);
- rxmode = URE_RCR_APM;
- if (ifp->if_flags & IFF_BROADCAST)
- rxmode |= URE_RCR_AB;
+ rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA);
+ rxmode &= ~(URE_RCR_AAP | URE_RCR_AM);
+ rxmode |= URE_RCR_APM; /* accept physical match packets */
+ rxmode |= URE_RCR_AB; /* always accept broadcasts */
if (ifp->if_flags & (IFF_ALLMULTI | IFF_PROMISC)) {
if (ifp->if_flags & IFF_PROMISC)
rxmode |= URE_RCR_AAP;
Modified: releng/12.2/sys/dev/usb/net/if_ure.c
==============================================================================
--- releng/12.2/sys/dev/usb/net/if_ure.c Tue Sep 15 21:28:47 2020
(r365777)
+++ releng/12.2/sys/dev/usb/net/if_ure.c Tue Sep 15 21:42:05 2020
(r365778)
@@ -784,9 +784,10 @@ ure_rxfilter(struct usb_ether *ue)
URE_LOCK_ASSERT(sc, MA_OWNED);
- rxmode = URE_RCR_APM;
- if (ifp->if_flags & IFF_BROADCAST)
- rxmode |= URE_RCR_AB;
+ rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA);
+ rxmode &= ~(URE_RCR_AAP | URE_RCR_AM);
+ rxmode |= URE_RCR_APM; /* accept physical match packets */
+ rxmode |= URE_RCR_AB; /* always accept broadcasts */
if (ifp->if_flags & (IFF_ALLMULTI | IFF_PROMISC)) {
if (ifp->if_flags & IFF_PROMISC)
rxmode |= URE_RCR_AAP;
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
