[Devel] [PATCH RHEL7 COMMIT] ms/tcp: avoid infinite loop in tcp_splice_read()
Konstantin Khorenko
khorenko at virtuozzo.com
Mon Feb 27 05:55:29 PST 2017
Please consider this to ReadyKernel.
https://readykernel.com/
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 02/27/2017 04:53 PM, Konstantin Khorenko wrote:
> The commit is pushed to "branch-rh7-3.10.0-514.6.1.vz7.28.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
> after rh7-3.10.0-514.6.1.vz7.28.7
> ------>
> commit b207397b05680d0d47b484ff3090194eb10f5cc8
> Author: Eric Dumazet <edumazet at google.com>
> Date: Fri Feb 3 14:59:38 2017 -0800
>
> ms/tcp: avoid infinite loop in tcp_splice_read()
>
> Splicing from TCP socket is vulnerable when a packet with URG flag is
> received and stored into receive queue.
>
> __tcp_splice_read() returns 0, and sk_wait_data() immediately
> returns since there is the problematic skb in queue.
>
> This is a nice way to burn cpu (aka infinite loop) and trigger
> soft lockups.
>
> Again, this gem was found by syzkaller tool.
>
> Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
> Signed-off-by: Eric Dumazet <edumazet at google.com>
> Reported-by: Dmitry Vyukov <dvyukov at google.com>
> Cc: Willy Tarreau <w at 1wt.eu>
> Signed-off-by: David S. Miller <davem at davemloft.net>
>
> https://jira.sw.ru/browse/PSBM-61135
> https://bugzilla.redhat.com/show_bug.cgi?id=1426542
> CVE-2017-6214 kernel: ipv4/tcp: Infinite loop in tcp_splice_read()
>
> (cherry picked from commit ccf7abb93af09ad0868ae9033d1ca8108bdaec82)
> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
More information about the Devel
mailing list