Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 25 Jan 2016 09:02:07 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: Linux potential division by zero in TCP code

While looking for something else entirely, I came across this commit,
initially reported at <https://lkml.org/lkml/2015/12/21/435>:

commit 8b8a321ff72c785ed5e8b4cf6eda20b35d427390
Author: Yuchung Cheng <ycheng@...gle.com>
Date:   Wed Jan 6 12:42:38 2016 -0800

    tcp: fix zero cwnd in tcp_cwnd_reduction
    
    Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode
    conditionally") introduced a bug that cwnd may become 0 when both
    inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead
    to a div-by-zero if the connection starts another cwnd reduction
    phase by setting tp->prior_cwnd to the current cwnd (0) in
    tcp_init_cwnd_reduction().
    
    To prevent this we skip PRR operation when nothing is acked or
    sacked. Then cwnd must be positive in all cases as long as ssthresh
    is positive:
    
    1) The proportional reduction mode
       inflight > ssthresh > 0
    
    2) The reduction bound mode
      a) inflight == ssthresh > 0
    
      b) inflight < ssthresh
         sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh
    
    Therefore in all cases inflight and sndcnt can not both be 0.
    We check invalid tp->prior_cwnd to avoid potential div0 bugs.
    
    In reality this bug is triggered only with a sequence of less common
    events.  For example, the connection is terminating an ECN-triggered
    cwnd reduction with an inflight 0, then it receives reordered/old
    ACKs or DSACKs from prior transmission (which acks nothing). Or the
    connection is in fast recovery stage that marks everything lost,
    but fails to retransmit due to local issues, then receives data
    packets from other end which acks nothing.


I haven't analyzed this, but it looks potentially security-relvant
(although the last paragraph above suggests it's not entirely
straightforward to trigger).

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.