Date: Thu, 23 Feb 2017 19:36:58 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: Dmitry Vyukov <dvyukov@...gle.com>, Eric Dumazet <edumazet@...gle.com>, Willy Tarreau <w@....eu>, "David S. Miller" <davem@...emloft.net> Subject: Linux: CVE-2017-6214: ipv4/tcp: infinite loop in tcp_splice_read() Hi CVE-2017-6214 has been assigned for the following commit in Linux by MITRE (via the webform): https://git.kernel.org/linus/ccf7abb93af09ad0868ae9033d1ca8108bdaec82 as included in v4.10-rc8: > tcp: avoid infinite loop in tcp_splice_read() > > Splicing from TCP socket is vulnerable when a packet with URG flag is > received and stored into receive queue. > > __tcp_splice_read() returns 0, and sk_wait_data() immediately > returns since there is the problematic skb in queue. > > This is a nice way to burn cpu (aka infinite loop) and trigger > soft lockups. > > Again, this gem was found by syzkaller tool. > > Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.") > Signed-off-by: Eric Dumazet <edumazet@...gle.com> > Reported-by: Dmitry Vyukov <dvyukov@...gle.com> > Cc: Willy Tarreau <w@....eu> > Signed-off-by: David S. Miller <davem@...emloft.net> The fix was backported to 4.9.11 (0f895f51a831d73ce24158534784aba5b2a72a9e). Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.