Date: Tue, 15 Sep 2020 21:42:05 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r365778 - in releng: 11.3/sys/dev/usb/net 11.4/sys/dev/usb/net 12.1/sys/dev/usb/net 12.2/sys/dev/usb/net Message-ID: <202009152142.08FLg5Gn046146@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon Date: Tue Sep 15 21:42:05 2020 New Revision: 365778 URL: https://svnweb.freebsd.org/changeset/base/365778 Log: Fix ure device driver susceptible to packet-in-packet attack. Approved by: so Approved by: re (implicit for releng/12.2) Security: FreeBSD-SA-20:27.ure Security: CVE-2020-7464 Modified: releng/11.3/sys/dev/usb/net/if_ure.c releng/11.4/sys/dev/usb/net/if_ure.c releng/12.1/sys/dev/usb/net/if_ure.c releng/12.2/sys/dev/usb/net/if_ure.c Modified: releng/11.3/sys/dev/usb/net/if_ure.c ============================================================================== --- releng/11.3/sys/dev/usb/net/if_ure.c Tue Sep 15 21:28:47 2020 (r365777) +++ releng/11.3/sys/dev/usb/net/if_ure.c Tue Sep 15 21:42:05 2020 (r365778) @@ -710,7 +710,9 @@ ure_init(struct usb_ether *ue) ~URE_RXDY_GATED_EN); /* Set Rx mode. */ - rxmode = URE_RCR_APM; + rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA); + rxmode &= ~URE_RCR_ACPT_ALL; + rxmode |= URE_RCR_APM; /* If we want promiscuous mode, set the allframes bit. */ if (ifp->if_flags & IFF_PROMISC) Modified: releng/11.4/sys/dev/usb/net/if_ure.c ============================================================================== --- releng/11.4/sys/dev/usb/net/if_ure.c Tue Sep 15 21:28:47 2020 (r365777) +++ releng/11.4/sys/dev/usb/net/if_ure.c Tue Sep 15 21:42:05 2020 (r365778) @@ -710,7 +710,9 @@ ure_init(struct usb_ether *ue) ~URE_RXDY_GATED_EN); /* Set Rx mode. */ - rxmode = URE_RCR_APM; + rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA); + rxmode &= ~URE_RCR_ACPT_ALL; + rxmode |= URE_RCR_APM; /* If we want promiscuous mode, set the allframes bit. */ if (ifp->if_flags & IFF_PROMISC) Modified: releng/12.1/sys/dev/usb/net/if_ure.c ============================================================================== --- releng/12.1/sys/dev/usb/net/if_ure.c Tue Sep 15 21:28:47 2020 (r365777) +++ releng/12.1/sys/dev/usb/net/if_ure.c Tue Sep 15 21:42:05 2020 (r365778) @@ -784,9 +784,10 @@ ure_rxfilter(struct usb_ether *ue) URE_LOCK_ASSERT(sc, MA_OWNED); - rxmode = URE_RCR_APM; - if (ifp->if_flags & IFF_BROADCAST) - rxmode |= URE_RCR_AB; + rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA); + rxmode &= ~(URE_RCR_AAP | URE_RCR_AM); + rxmode |= URE_RCR_APM; /* accept physical match packets */ + rxmode |= URE_RCR_AB; /* always accept broadcasts */ if (ifp->if_flags & (IFF_ALLMULTI | IFF_PROMISC)) { if (ifp->if_flags & IFF_PROMISC) rxmode |= URE_RCR_AAP; Modified: releng/12.2/sys/dev/usb/net/if_ure.c ============================================================================== --- releng/12.2/sys/dev/usb/net/if_ure.c Tue Sep 15 21:28:47 2020 (r365777) +++ releng/12.2/sys/dev/usb/net/if_ure.c Tue Sep 15 21:42:05 2020 (r365778) @@ -784,9 +784,10 @@ ure_rxfilter(struct usb_ether *ue) URE_LOCK_ASSERT(sc, MA_OWNED); - rxmode = URE_RCR_APM; - if (ifp->if_flags & IFF_BROADCAST) - rxmode |= URE_RCR_AB; + rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA); + rxmode &= ~(URE_RCR_AAP | URE_RCR_AM); + rxmode |= URE_RCR_APM; /* accept physical match packets */ + rxmode |= URE_RCR_AB; /* always accept broadcasts */ if (ifp->if_flags & (IFF_ALLMULTI | IFF_PROMISC)) { if (ifp->if_flags & IFF_PROMISC) rxmode |= URE_RCR_AAP;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202009152142.08FLg5Gn046146>