oss-sec mailing list archives

Linux: CVE-2017-6214: ipv4/tcp: infinite loop in tcp_splice_read()

From: Salvatore Bonaccorso <carnil () debian org>
Date: Thu, 23 Feb 2017 19:36:58 +0100

Hi

CVE-2017-6214 has been assigned for the following commit in Linux by
MITRE (via the webform):

https://git.kernel.org/linus/ccf7abb93af09ad0868ae9033d1ca8108bdaec82

as included in v4.10-rc8:

    tcp: avoid infinite loop in tcp_splice_read()
    
    Splicing from TCP socket is vulnerable when a packet with URG flag is
    received and stored into receive queue.
    
    __tcp_splice_read() returns 0, and sk_wait_data() immediately
    returns since there is the problematic skb in queue.
    
    This is a nice way to burn cpu (aka infinite loop) and trigger
    soft lockups.
    
    Again, this gem was found by syzkaller tool.
    
    Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
    Signed-off-by: Eric Dumazet <edumazet () google com>
    Reported-by: Dmitry Vyukov  <dvyukov () google com>
    Cc: Willy Tarreau <w () 1wt eu>
    Signed-off-by: David S. Miller <davem () davemloft net>


The fix was backported to 4.9.11
(0f895f51a831d73ce24158534784aba5b2a72a9e).

Regards,
Salvatore

Current thread:

Linux: CVE-2017-6214: ipv4/tcp: infinite loop in tcp_splice_read() Salvatore Bonaccorso (Feb 23)