oss-sec mailing list archives
CVE-2017-14106 kernel: net/ipv4: divide by 0 in __tcp_select_window()
From: Vasily Averin <vvs () virtuozzo com>
Date: Fri, 1 Sep 2017 19:20:54 +0300
[Suggested description] The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path. [VulnerabilityType Other] CWE-369: Divide By Zero [Reference] https://groups.google.com/forum/#!topic/syzkaller/e4SrsEBEziQ https://www.mail-archive.com/netdev () vger kernel org/msg186255.html https://github.com/torvalds/linux/commit/499350a5a6e7512d9ed369ed63a4244b6536f4f8 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=499350a5a6e7512d9ed369ed63a4244b6536f4f8 [Discoverer] Andrey Konovalov <andreyknvl () google com> It was fixed in linux mainline 4.12-rc3 commit 499350a5a6e7512d9ed369ed63a4244b6536f4f8 Author: Wei Wang <weiwan () google com> Date: Thu May 18 11:22:33 2017 -0700 tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 When tcp_disconnect() is called, inet_csk_delack_init() sets icsk->icsk_ack.rcv_mss to 0. This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() => __tcp_select_window() call path to have division by 0 issue. So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0. Reported-by: Andrey Konovalov <andreyknvl () google com> Signed-off-by: Wei Wang <weiwan () google com> Signed-off-by: Eric Dumazet <edumazet () google com> Signed-off-by: Neal Cardwell <ncardwell () google com> Signed-off-by: Yuchung Cheng <ycheng () google com> Signed-off-by: David S. Miller <davem () davemloft net> Thank you, Vasily Averin
Current thread:
- CVE-2017-14106 kernel: net/ipv4: divide by 0 in __tcp_select_window() Vasily Averin (Sep 01)