oss-sec mailing list archives
Linux: CVE-2017-6214: ipv4/tcp: infinite loop in tcp_splice_read()
From: Salvatore Bonaccorso <carnil () debian org>
Date: Thu, 23 Feb 2017 19:36:58 +0100
Hi CVE-2017-6214 has been assigned for the following commit in Linux by MITRE (via the webform): https://git.kernel.org/linus/ccf7abb93af09ad0868ae9033d1ca8108bdaec82 as included in v4.10-rc8:
tcp: avoid infinite loop in tcp_splice_read() Splicing from TCP socket is vulnerable when a packet with URG flag is received and stored into receive queue. __tcp_splice_read() returns 0, and sk_wait_data() immediately returns since there is the problematic skb in queue. This is a nice way to burn cpu (aka infinite loop) and trigger soft lockups. Again, this gem was found by syzkaller tool. Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.") Signed-off-by: Eric Dumazet <edumazet () google com> Reported-by: Dmitry Vyukov <dvyukov () google com> Cc: Willy Tarreau <w () 1wt eu> Signed-off-by: David S. Miller <davem () davemloft net>
The fix was backported to 4.9.11 (0f895f51a831d73ce24158534784aba5b2a72a9e). Regards, Salvatore
Current thread:
- Linux: CVE-2017-6214: ipv4/tcp: infinite loop in tcp_splice_read() Salvatore Bonaccorso (Feb 23)