[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Linux: CVE-2017-6214: ipv4/tcp: infinite loop in tcp_splice_read()
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2017-02-23 18:36:58
Message-ID: 20170223183658.zqlncw72y6hyhjil () eldamar ! local
[Download RAW message or body]

Hi

CVE-2017-6214 has been assigned for the following commit in Linux by
MITRE (via the webform):

https://git.kernel.org/linus/ccf7abb93af09ad0868ae9033d1ca8108bdaec82

as included in v4.10-rc8:

>     tcp: avoid infinite loop in tcp_splice_read()
>     
>     Splicing from TCP socket is vulnerable when a packet with URG flag is
>     received and stored into receive queue.
>     
>     __tcp_splice_read() returns 0, and sk_wait_data() immediately
>     returns since there is the problematic skb in queue.
>     
>     This is a nice way to burn cpu (aka infinite loop) and trigger
>     soft lockups.
>     
>     Again, this gem was found by syzkaller tool.
>     
>     Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
>     Signed-off-by: Eric Dumazet <edumazet@google.com>
>     Reported-by: Dmitry Vyukov  <dvyukov@google.com>
>     Cc: Willy Tarreau <w@1wt.eu>
>     Signed-off-by: David S. Miller <davem@davemloft.net>

The fix was backported to 4.9.11
(0f895f51a831d73ce24158534784aba5b2a72a9e).

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]