ACK: [PATCH 1/1] tcp: avoid infinite loop in tcp_splice_read()
Stefan Bader
stefan.bader at canonical.com
Fri Aug 25 12:23:00 UTC 2017
On 25.08.2017 13:03, Kleber Sacilotto de Souza wrote:
> From: Eric Dumazet <edumazet at google.com>
>
> CVE-2017-6214
>
> Splicing from TCP socket is vulnerable when a packet with URG flag is
> received and stored into receive queue.
>
> __tcp_splice_read() returns 0, and sk_wait_data() immediately
> returns since there is the problematic skb in queue.
>
> This is a nice way to burn cpu (aka infinite loop) and trigger
> soft lockups.
>
> Again, this gem was found by syzkaller tool.
>
> Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
> Signed-off-by: Eric Dumazet <edumazet at google.com>
> Reported-by: Dmitry Vyukov <dvyukov at google.com>
> Cc: Willy Tarreau <w at 1wt.eu>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit ccf7abb93af09ad0868ae9033d1ca8108bdaec82)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
> net/ipv4/tcp.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> index dd0655938f2d..16b5118d334f 100644
> --- a/net/ipv4/tcp.c
> +++ b/net/ipv4/tcp.c
> @@ -723,6 +723,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos,
> ret = -EAGAIN;
> break;
> }
> + /* if __tcp_splice_read() got nothing while we have
> + * an skb in receive queue, we do not want to loop.
> + * This might happen with URG data.
> + */
> + if (!skb_queue_empty(&sk->sk_receive_queue))
> + break;
> sk_wait_data(sk, &timeo, NULL);
> if (signal_pending(current)) {
> ret = sock_intr_errno(timeo);
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20170825/1a4e68ab/attachment.sig>
More information about the kernel-team
mailing list