Date: Fri, 1 Sep 2017 19:20:54 +0300 From: Vasily Averin <vvs@...tuozzo.com> To: oss-security@...ts.openwall.com Cc: Andrey Konovalov <andreyknvl@...gle.com> Subject: CVE-2017-14106 kernel: net/ipv4: divide by 0 in __tcp_select_window() [Suggested description] The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path. [VulnerabilityType Other] CWE-369: Divide By Zero [Reference] https://groups.google.com/forum/#!topic/syzkaller/e4SrsEBEziQ https://www.mail-archive.com/netdev@...r.kernel.org/msg186255.html https://github.com/torvalds/linux/commit/499350a5a6e7512d9ed369ed63a4244b6536f4f8 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=499350a5a6e7512d9ed369ed63a4244b6536f4f8 [Discoverer] Andrey Konovalov <andreyknvl@...gle.com> It was fixed in linux mainline 4.12-rc3 commit 499350a5a6e7512d9ed369ed63a4244b6536f4f8 Author: Wei Wang <weiwan@...gle.com> Date: Thu May 18 11:22:33 2017 -0700 tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 When tcp_disconnect() is called, inet_csk_delack_init() sets icsk->icsk_ack.rcv_mss to 0. This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() => __tcp_select_window() call path to have division by 0 issue. So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0. Reported-by: Andrey Konovalov <andreyknvl@...gle.com> Signed-off-by: Wei Wang <weiwan@...gle.com> Signed-off-by: Eric Dumazet <edumazet@...gle.com> Signed-off-by: Neal Cardwell <ncardwell@...gle.com> Signed-off-by: Yuchung Cheng <ycheng@...gle.com> Signed-off-by: David S. Miller <davem@...emloft.net> Thank you, Vasily Averin
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ