[linux] 01/01: tcp: avoid infinite loop in tcp_splice_read() (CVE-2017-6214)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Mar 7 16:39:08 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch jessie-security
in repository linux.
commit 61f1eb2927ae6596395d05b55a69c384dcae6001
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Tue Mar 7 17:36:04 2017 +0100
tcp: avoid infinite loop in tcp_splice_read() (CVE-2017-6214)
---
debian/changelog | 1 +
...cp-avoid-infinite-loop-in-tcp_splice_read.patch | 48 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 50 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 6047115..cb0bf5a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ linux (3.16.39-1+deb8u2) UNRELEASED; urgency=medium
* sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)
* sctp: deny peeloff operation on asocs with threads sleeping on it
(CVE-2017-6353)
+ * tcp: avoid infinite loop in tcp_splice_read() (CVE-2017-6214)
-- Salvatore Bonaccorso <carnil at debian.org> Tue, 07 Mar 2017 17:10:30 +0100
diff --git a/debian/patches/bugfix/all/tcp-avoid-infinite-loop-in-tcp_splice_read.patch b/debian/patches/bugfix/all/tcp-avoid-infinite-loop-in-tcp_splice_read.patch
new file mode 100644
index 0000000..9865636
--- /dev/null
+++ b/debian/patches/bugfix/all/tcp-avoid-infinite-loop-in-tcp_splice_read.patch
@@ -0,0 +1,48 @@
+From: Eric Dumazet <edumazet at google.com>
+Date: Fri, 3 Feb 2017 14:59:38 -0800
+Subject: tcp: avoid infinite loop in tcp_splice_read()
+Origin: https://git.kernel.org/linus/ccf7abb93af09ad0868ae9033d1ca8108bdaec82
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-6214
+
+Splicing from TCP socket is vulnerable when a packet with URG flag is
+received and stored into receive queue.
+
+__tcp_splice_read() returns 0, and sk_wait_data() immediately
+returns since there is the problematic skb in queue.
+
+This is a nice way to burn cpu (aka infinite loop) and trigger
+soft lockups.
+
+Again, this gem was found by syzkaller tool.
+
+Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Cc: Willy Tarreau <w at 1wt.eu>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/ipv4/tcp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 9ee5a4bbb289..068ffa698318 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -765,6 +765,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos,
+ ret = -EAGAIN;
+ break;
+ }
++ /* if __tcp_splice_read() got nothing while we have
++ * an skb in receive queue, we do not want to loop.
++ * This might happen with URG data.
++ */
++ if (!skb_queue_empty(&sk->sk_receive_queue))
++ break;
+ sk_wait_data(sk, &timeo);
+ if (signal_pending(current)) {
+ ret = sock_intr_errno(timeo);
+--
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 50a0e35..5c15abe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -696,6 +696,7 @@ bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch
bugfix/all/ipc-shm-Fix-shmat-mmap-nil-page-protection.patch
bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
+bugfix/all/tcp-avoid-infinite-loop-in-tcp_splice_read.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list