Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 1 Sep 2017 19:20:54 +0300
From: Vasily Averin <vvs@...tuozzo.com>
To: oss-security@...ts.openwall.com
Cc: Andrey Konovalov <andreyknvl@...gle.com>
Subject: CVE-2017-14106 kernel: net/ipv4: divide by 0 in __tcp_select_window()

[Suggested description]
The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows
local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) 
by triggering a disconnect within a certain tcp_recvmsg code path.

[VulnerabilityType Other]
CWE-369: Divide By Zero

[Reference]
https://groups.google.com/forum/#!topic/syzkaller/e4SrsEBEziQ
https://www.mail-archive.com/netdev@...r.kernel.org/msg186255.html
https://github.com/torvalds/linux/commit/499350a5a6e7512d9ed369ed63a4244b6536f4f8
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=499350a5a6e7512d9ed369ed63a4244b6536f4f8


[Discoverer]
Andrey Konovalov  <andreyknvl@...gle.com>

It was fixed in linux mainline 4.12-rc3

commit 499350a5a6e7512d9ed369ed63a4244b6536f4f8
Author: Wei Wang <weiwan@...gle.com>
Date:   Thu May 18 11:22:33 2017 -0700

    tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
    
    When tcp_disconnect() is called, inet_csk_delack_init() sets
    icsk->icsk_ack.rcv_mss to 0.
    This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
    __tcp_select_window() call path to have division by 0 issue.
    So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.
    
    Reported-by: Andrey Konovalov  <andreyknvl@...gle.com>
    Signed-off-by: Wei Wang <weiwan@...gle.com>
    Signed-off-by: Eric Dumazet <edumazet@...gle.com>
    Signed-off-by: Neal Cardwell <ncardwell@...gle.com>
    Signed-off-by: Yuchung Cheng <ycheng@...gle.com>
    Signed-off-by: David S. Miller <davem@...emloft.net>

Thank you,
	Vasily Averin

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ