Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 23 Feb 2017 19:36:58 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: Dmitry Vyukov <dvyukov@...gle.com>, Eric Dumazet <edumazet@...gle.com>,
	Willy Tarreau <w@....eu>, "David S. Miller" <davem@...emloft.net>
Subject: Linux: CVE-2017-6214: ipv4/tcp: infinite loop in tcp_splice_read()

Hi

CVE-2017-6214 has been assigned for the following commit in Linux by
MITRE (via the webform):

https://git.kernel.org/linus/ccf7abb93af09ad0868ae9033d1ca8108bdaec82

as included in v4.10-rc8:

>     tcp: avoid infinite loop in tcp_splice_read()
>     
>     Splicing from TCP socket is vulnerable when a packet with URG flag is
>     received and stored into receive queue.
>     
>     __tcp_splice_read() returns 0, and sk_wait_data() immediately
>     returns since there is the problematic skb in queue.
>     
>     This is a nice way to burn cpu (aka infinite loop) and trigger
>     soft lockups.
>     
>     Again, this gem was found by syzkaller tool.
>     
>     Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
>     Signed-off-by: Eric Dumazet <edumazet@...gle.com>
>     Reported-by: Dmitry Vyukov  <dvyukov@...gle.com>
>     Cc: Willy Tarreau <w@....eu>
>     Signed-off-by: David S. Miller <davem@...emloft.net>

The fix was backported to 4.9.11
(0f895f51a831d73ce24158534784aba5b2a72a9e).

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.