[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Linux: CVE-2017-6214: ipv4/tcp: infinite loop in tcp_splice_read()
From: Salvatore Bonaccorso <carnil () debian ! org>
Date: 2017-02-23 18:36:58
Message-ID: 20170223183658.zqlncw72y6hyhjil () eldamar ! local
[Download RAW message or body]
Hi
CVE-2017-6214 has been assigned for the following commit in Linux by
MITRE (via the webform):
https://git.kernel.org/linus/ccf7abb93af09ad0868ae9033d1ca8108bdaec82
as included in v4.10-rc8:
> tcp: avoid infinite loop in tcp_splice_read()
>
> Splicing from TCP socket is vulnerable when a packet with URG flag is
> received and stored into receive queue.
>
> __tcp_splice_read() returns 0, and sk_wait_data() immediately
> returns since there is the problematic skb in queue.
>
> This is a nice way to burn cpu (aka infinite loop) and trigger
> soft lockups.
>
> Again, this gem was found by syzkaller tool.
>
> Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Cc: Willy Tarreau <w@1wt.eu>
> Signed-off-by: David S. Miller <davem@davemloft.net>
The fix was backported to 4.9.11
(0f895f51a831d73ce24158534784aba5b2a72a9e).
Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic