CVE-2017-14106 kernel: net/ipv4: divide by 0 in __tcp_select_window()

[Vasily Averin <vvs () virtuozzo com>]

[Suggested description]
The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows
local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) 
by triggering a disconnect within a certain tcp_recvmsg code path.

[VulnerabilityType Other]
CWE-369: Divide By Zero

[Reference]
https://groups.google.com/forum/#!topic/syzkaller/e4SrsEBEziQ
https://www.mail-archive.com/netdev () vger kernel org/msg186255.html
https://github.com/torvalds/linux/commit/499350a5a6e7512d9ed369ed63a4244b6536f4f8
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=499350a5a6e7512d9ed369ed63a4244b6536f4f8


[Discoverer]
Andrey Konovalov  <andreyknvl () google com>

It was fixed in linux mainline 4.12-rc3

commit 499350a5a6e7512d9ed369ed63a4244b6536f4f8
Author: Wei Wang <weiwan () google com>
Date:   Thu May 18 11:22:33 2017 -0700

    tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
    
    When tcp_disconnect() is called, inet_csk_delack_init() sets
    icsk->icsk_ack.rcv_mss to 0.
    This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
    __tcp_select_window() call path to have division by 0 issue.
    So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.
    
    Reported-by: Andrey Konovalov  <andreyknvl () google com>
    Signed-off-by: Wei Wang <weiwan () google com>
    Signed-off-by: Eric Dumazet <edumazet () google com>
    Signed-off-by: Neal Cardwell <ncardwell () google com>
    Signed-off-by: Yuchung Cheng <ycheng () google com>
    Signed-off-by: David S. Miller <davem () davemloft net>

Thank you,
        Vasily Averin