svn commit: r365778 - in releng: 11.3/sys/dev/usb/net 11.4/sys/dev/usb/net 12.1/sys/dev/usb/net 12.2/sys/dev/usb/net
Gordon Tetlow
gordon at FreeBSD.org
Tue Sep 15 21:42:07 UTC 2020
Author: gordon
Date: Tue Sep 15 21:42:05 2020
New Revision: 365778
URL: https://svnweb.freebsd.org/changeset/base/365778
Log:
Fix ure device driver susceptible to packet-in-packet attack.
Approved by: so
Approved by: re (implicit for releng/12.2)
Security: FreeBSD-SA-20:27.ure
Security: CVE-2020-7464
Modified:
releng/11.3/sys/dev/usb/net/if_ure.c
releng/11.4/sys/dev/usb/net/if_ure.c
releng/12.1/sys/dev/usb/net/if_ure.c
releng/12.2/sys/dev/usb/net/if_ure.c
Modified: releng/11.3/sys/dev/usb/net/if_ure.c
==============================================================================
--- releng/11.3/sys/dev/usb/net/if_ure.c Tue Sep 15 21:28:47 2020 (r365777)
+++ releng/11.3/sys/dev/usb/net/if_ure.c Tue Sep 15 21:42:05 2020 (r365778)
@@ -710,7 +710,9 @@ ure_init(struct usb_ether *ue)
~URE_RXDY_GATED_EN);
/* Set Rx mode. */
- rxmode = URE_RCR_APM;
+ rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA);
+ rxmode &= ~URE_RCR_ACPT_ALL;
+ rxmode |= URE_RCR_APM;
/* If we want promiscuous mode, set the allframes bit. */
if (ifp->if_flags & IFF_PROMISC)
Modified: releng/11.4/sys/dev/usb/net/if_ure.c
==============================================================================
--- releng/11.4/sys/dev/usb/net/if_ure.c Tue Sep 15 21:28:47 2020 (r365777)
+++ releng/11.4/sys/dev/usb/net/if_ure.c Tue Sep 15 21:42:05 2020 (r365778)
@@ -710,7 +710,9 @@ ure_init(struct usb_ether *ue)
~URE_RXDY_GATED_EN);
/* Set Rx mode. */
- rxmode = URE_RCR_APM;
+ rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA);
+ rxmode &= ~URE_RCR_ACPT_ALL;
+ rxmode |= URE_RCR_APM;
/* If we want promiscuous mode, set the allframes bit. */
if (ifp->if_flags & IFF_PROMISC)
Modified: releng/12.1/sys/dev/usb/net/if_ure.c
==============================================================================
--- releng/12.1/sys/dev/usb/net/if_ure.c Tue Sep 15 21:28:47 2020 (r365777)
+++ releng/12.1/sys/dev/usb/net/if_ure.c Tue Sep 15 21:42:05 2020 (r365778)
@@ -784,9 +784,10 @@ ure_rxfilter(struct usb_ether *ue)
URE_LOCK_ASSERT(sc, MA_OWNED);
- rxmode = URE_RCR_APM;
- if (ifp->if_flags & IFF_BROADCAST)
- rxmode |= URE_RCR_AB;
+ rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA);
+ rxmode &= ~(URE_RCR_AAP | URE_RCR_AM);
+ rxmode |= URE_RCR_APM; /* accept physical match packets */
+ rxmode |= URE_RCR_AB; /* always accept broadcasts */
if (ifp->if_flags & (IFF_ALLMULTI | IFF_PROMISC)) {
if (ifp->if_flags & IFF_PROMISC)
rxmode |= URE_RCR_AAP;
Modified: releng/12.2/sys/dev/usb/net/if_ure.c
==============================================================================
--- releng/12.2/sys/dev/usb/net/if_ure.c Tue Sep 15 21:28:47 2020 (r365777)
+++ releng/12.2/sys/dev/usb/net/if_ure.c Tue Sep 15 21:42:05 2020 (r365778)
@@ -784,9 +784,10 @@ ure_rxfilter(struct usb_ether *ue)
URE_LOCK_ASSERT(sc, MA_OWNED);
- rxmode = URE_RCR_APM;
- if (ifp->if_flags & IFF_BROADCAST)
- rxmode |= URE_RCR_AB;
+ rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA);
+ rxmode &= ~(URE_RCR_AAP | URE_RCR_AM);
+ rxmode |= URE_RCR_APM; /* accept physical match packets */
+ rxmode |= URE_RCR_AB; /* always accept broadcasts */
if (ifp->if_flags & (IFF_ALLMULTI | IFF_PROMISC)) {
if (ifp->if_flags & IFF_PROMISC)
rxmode |= URE_RCR_AAP;
More information about the svn-src-releng
mailing list