ACK: [PATCH 1/1] tcp: avoid infinite loop in tcp_splice_read()

Stefan Bader stefan.bader at canonical.com
Fri Aug 25 12:23:00 UTC 2017


On 25.08.2017 13:03, Kleber Sacilotto de Souza wrote:
> From: Eric Dumazet <edumazet at google.com>
> 
> CVE-2017-6214
> 
> Splicing from TCP socket is vulnerable when a packet with URG flag is
> received and stored into receive queue.
> 
> __tcp_splice_read() returns 0, and sk_wait_data() immediately
> returns since there is the problematic skb in queue.
> 
> This is a nice way to burn cpu (aka infinite loop) and trigger
> soft lockups.
> 
> Again, this gem was found by syzkaller tool.
> 
> Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
> Signed-off-by: Eric Dumazet <edumazet at google.com>
> Reported-by: Dmitry Vyukov  <dvyukov at google.com>
> Cc: Willy Tarreau <w at 1wt.eu>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit ccf7abb93af09ad0868ae9033d1ca8108bdaec82)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>

> ---
>  net/ipv4/tcp.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> index dd0655938f2d..16b5118d334f 100644
> --- a/net/ipv4/tcp.c
> +++ b/net/ipv4/tcp.c
> @@ -723,6 +723,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos,
>  				ret = -EAGAIN;
>  				break;
>  			}
> +			/* if __tcp_splice_read() got nothing while we have
> +			 * an skb in receive queue, we do not want to loop.
> +			 * This might happen with URG data.
> +			 */
> +			if (!skb_queue_empty(&sk->sk_receive_queue))
> +				break;
>  			sk_wait_data(sk, &timeo, NULL);
>  			if (signal_pending(current)) {
>  				ret = sock_intr_errno(timeo);
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20170825/1a4e68ab/attachment.sig>


More information about the kernel-team mailing list