[{"id":1766250,"web_url":"http://patchwork.ozlabs.org/comment/1766250/","msgid":"<15b298b4-9d22-df25-520a-8965fb2b8a02@canonical.com>","list_archive_url":null,"date":"2017-09-11T11:46:07","subject":"ACK: [CVE-2017-14106][T/X/Z SRU][PATCH] tcp: initialize rcv_mss to\n\tTCP_MIN_MSS instead of 0","submitter":{"id":2898,"url":"http://patchwork.ozlabs.org/api/people/2898/","name":"Stefan Bader","email":"stefan.bader@canonical.com"},"content":"On 11.09.2017 08:23, Po-Hsu Lin wrote:\n> From: Wei Wang <weiwan@google.com>\n> \n> CVE-2017-14106\n> \n> When tcp_disconnect() is called, inet_csk_delack_init() sets\n> icsk->icsk_ack.rcv_mss to 0.\n> This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>\n> __tcp_select_window() call path to have division by 0 issue.\n> So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.\n> \n> Reported-by: Andrey Konovalov  <andreyknvl@google.com>\n> Signed-off-by: Wei Wang <weiwan@google.com>\n> Signed-off-by: Eric Dumazet <edumazet@google.com>\n> Signed-off-by: Neal Cardwell <ncardwell@google.com>\n> Signed-off-by: Yuchung Cheng <ycheng@google.com>\n> Signed-off-by: David S. Miller <davem@davemloft.net>\n> (cherry picked from commit 499350a5a6e7512d9ed369ed63a4244b6536f4f8)\n> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>\nAcked-by: Stefan Bader <stefan.bader@canonical.com>\n\n> ---\n>  net/ipv4/tcp.c | 4 ++++\n>  1 file changed, 4 insertions(+)\n> \n> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c\n> index 16b5118..46c45a0 100644\n> --- a/net/ipv4/tcp.c\n> +++ b/net/ipv4/tcp.c\n> @@ -2202,6 +2202,10 @@ int tcp_disconnect(struct sock *sk, int flags)\n>  \ttcp_set_ca_state(sk, TCP_CA_Open);\n>  \ttcp_clear_retrans(tp);\n>  \tinet_csk_delack_init(sk);\n> +\t/* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0\n> +\t * issue in __tcp_select_window()\n> +\t */\n> +\ticsk->icsk_ack.rcv_mss = TCP_MIN_MSS;\n>  \ttcp_init_send_head(sk);\n>  \tmemset(&tp->rx_opt, 0, sizeof(tp->rx_opt));\n>  \t__sk_dst_reset(sk);\n>","headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xrR2r2zq0z9s83;\n\tMon, 11 Sep 2017 21:46:12 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1drNAH-0001BR-Gk; Mon, 11 Sep 2017 11:46:09 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from <stefan.bader@canonical.com>)\n\tid 1drNAG-0001B2-JY\n\tfor kernel-team@lists.ubuntu.com; Mon, 11 Sep 2017 11:46:08 +0000","from 1.general.smb.uk.vpn ([10.172.193.28])\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <stefan.bader@canonical.com>)\n\tid 1drNAG-0003hS-B7\n\tfor kernel-team@lists.ubuntu.com; Mon, 11 Sep 2017 11:46:08 +0000"],"Subject":"ACK: [CVE-2017-14106][T/X/Z SRU][PATCH] tcp: initialize rcv_mss to\n\tTCP_MIN_MSS instead of 0","To":"kernel-team@lists.ubuntu.com","References":"<20170911062338.9825-1-po-hsu.lin@canonical.com>\n\t<20170911062338.9825-2-po-hsu.lin@canonical.com>","From":"Stefan Bader <stefan.bader@canonical.com>","Message-ID":"<15b298b4-9d22-df25-520a-8965fb2b8a02@canonical.com>","Date":"Mon, 11 Sep 2017 13:46:07 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"<20170911062338.9825-2-po-hsu.lin@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"multipart/mixed;\n\tboundary=\"===============6415871583381105094==\"","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"}},{"id":1766279,"web_url":"http://patchwork.ozlabs.org/comment/1766279/","msgid":"<23e7df31-5667-a676-8537-4c3d76e7ab15@canonical.com>","list_archive_url":null,"date":"2017-09-11T12:35:31","subject":"ACK: [CVE-2017-14106][T/X/Z SRU][PATCH] tcp: initialize rcv_mss to\n\tTCP_MIN_MSS instead of 0","submitter":{"id":2900,"url":"http://patchwork.ozlabs.org/api/people/2900/","name":"Colin Ian King","email":"colin.king@canonical.com"},"content":"On 11/09/17 07:23, Po-Hsu Lin wrote:\n> From: Wei Wang <weiwan@google.com>\n> \n> CVE-2017-14106\n> \n> When tcp_disconnect() is called, inet_csk_delack_init() sets\n> icsk->icsk_ack.rcv_mss to 0.\n> This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>\n> __tcp_select_window() call path to have division by 0 issue.\n> So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.\n> \n> Reported-by: Andrey Konovalov  <andreyknvl@google.com>\n> Signed-off-by: Wei Wang <weiwan@google.com>\n> Signed-off-by: Eric Dumazet <edumazet@google.com>\n> Signed-off-by: Neal Cardwell <ncardwell@google.com>\n> Signed-off-by: Yuchung Cheng <ycheng@google.com>\n> Signed-off-by: David S. Miller <davem@davemloft.net>\n> (cherry picked from commit 499350a5a6e7512d9ed369ed63a4244b6536f4f8)\n> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>\n> ---\n>  net/ipv4/tcp.c | 4 ++++\n>  1 file changed, 4 insertions(+)\n> \n> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c\n> index 16b5118..46c45a0 100644\n> --- a/net/ipv4/tcp.c\n> +++ b/net/ipv4/tcp.c\n> @@ -2202,6 +2202,10 @@ int tcp_disconnect(struct sock *sk, int flags)\n>  \ttcp_set_ca_state(sk, TCP_CA_Open);\n>  \ttcp_clear_retrans(tp);\n>  \tinet_csk_delack_init(sk);\n> +\t/* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0\n> +\t * issue in __tcp_select_window()\n> +\t */\n> +\ticsk->icsk_ack.rcv_mss = TCP_MIN_MSS;\n>  \ttcp_init_send_head(sk);\n>  \tmemset(&tp->rx_opt, 0, sizeof(tp->rx_opt));\n>  \t__sk_dst_reset(sk);\n> \nClean cherry pick, looks OK.\n\nAcked-by: Colin Ian King <colin.king@canonical.com>","headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xrS7v6F5Jz9s7B;\n\tMon, 11 Sep 2017 22:35:39 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1drNw5-0006x4-Un; Mon, 11 Sep 2017 12:35:33 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from <colin.king@canonical.com>)\n\tid 1drNw4-0006ws-AP\n\tfor kernel-team@lists.ubuntu.com; Mon, 11 Sep 2017 12:35:32 +0000","from 1.general.cking.uk.vpn ([10.172.193.212])\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <colin.king@canonical.com>)\n\tid 1drNw4-0005xN-0R; Mon, 11 Sep 2017 12:35:32 +0000"],"Subject":"ACK: [CVE-2017-14106][T/X/Z SRU][PATCH] tcp: initialize rcv_mss to\n\tTCP_MIN_MSS instead of 0","To":"kernel-team@lists.ubuntu.com","References":"<20170911062338.9825-1-po-hsu.lin@canonical.com>\n\t<20170911062338.9825-2-po-hsu.lin@canonical.com>","From":"Colin Ian King <colin.king@canonical.com>","Message-ID":"<23e7df31-5667-a676-8537-4c3d76e7ab15@canonical.com>","Date":"Mon, 11 Sep 2017 13:35:31 +0100","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101\n\tThunderbird/45.8.0","MIME-Version":"1.0","In-Reply-To":"<20170911062338.9825-2-po-hsu.lin@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"}},{"id":1769188,"web_url":"http://patchwork.ozlabs.org/comment/1769188/","msgid":"<84ddd3bf-9b1f-75c0-d592-f19980435ce6@canonical.com>","list_archive_url":null,"date":"2017-09-15T13:34:19","subject":"APPLIED T/X/Z: [CVE-2017-14106][T/X/Z SRU][PATCH] tcp: initialize\n\trcv_mss to TCP_MIN_MSS instead of 0","submitter":{"id":2898,"url":"http://patchwork.ozlabs.org/api/people/2898/","name":"Stefan Bader","email":"stefan.bader@canonical.com"},"content":"On 11.09.2017 08:23, Po-Hsu Lin wrote:\n> From: Wei Wang <weiwan@google.com>\n> \n> CVE-2017-14106\n> \n> When tcp_disconnect() is called, inet_csk_delack_init() sets\n> icsk->icsk_ack.rcv_mss to 0.\n> This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>\n> __tcp_select_window() call path to have division by 0 issue.\n> So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.\n> \n> Reported-by: Andrey Konovalov  <andreyknvl@google.com>\n> Signed-off-by: Wei Wang <weiwan@google.com>\n> Signed-off-by: Eric Dumazet <edumazet@google.com>\n> Signed-off-by: Neal Cardwell <ncardwell@google.com>\n> Signed-off-by: Yuchung Cheng <ycheng@google.com>\n> Signed-off-by: David S. Miller <davem@davemloft.net>\n> (cherry picked from commit 499350a5a6e7512d9ed369ed63a4244b6536f4f8)\n> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>\n> ---\n>  net/ipv4/tcp.c | 4 ++++\n>  1 file changed, 4 insertions(+)\n> \n> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c\n> index 16b5118..46c45a0 100644\n> --- a/net/ipv4/tcp.c\n> +++ b/net/ipv4/tcp.c\n> @@ -2202,6 +2202,10 @@ int tcp_disconnect(struct sock *sk, int flags)\n>  \ttcp_set_ca_state(sk, TCP_CA_Open);\n>  \ttcp_clear_retrans(tp);\n>  \tinet_csk_delack_init(sk);\n> +\t/* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0\n> +\t * issue in __tcp_select_window()\n> +\t */\n> +\ticsk->icsk_ack.rcv_mss = TCP_MIN_MSS;\n>  \ttcp_init_send_head(sk);\n>  \tmemset(&tp->rx_opt, 0, sizeof(tp->rx_opt));\n>  \t__sk_dst_reset(sk);\n> \nApplied to Trusty, Xenial, and Zesty master-next","headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xtxFw02vXz9sxR;\n\tFri, 15 Sep 2017 23:34:28 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1dsqlC-00087O-UM; Fri, 15 Sep 2017 13:34:22 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from <stefan.bader@canonical.com>)\n\tid 1dsqlA-00086r-B8\n\tfor kernel-team@lists.ubuntu.com; Fri, 15 Sep 2017 13:34:20 +0000","from 1.general.smb.uk.vpn ([10.172.193.28])\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <stefan.bader@canonical.com>)\n\tid 1dsqlA-000508-3G\n\tfor kernel-team@lists.ubuntu.com; Fri, 15 Sep 2017 13:34:20 +0000"],"Subject":"APPLIED T/X/Z: [CVE-2017-14106][T/X/Z SRU][PATCH] tcp: initialize\n\trcv_mss to TCP_MIN_MSS instead of 0","To":"kernel-team@lists.ubuntu.com","References":"<20170911062338.9825-1-po-hsu.lin@canonical.com>\n\t<20170911062338.9825-2-po-hsu.lin@canonical.com>","From":"Stefan Bader <stefan.bader@canonical.com>","Message-ID":"<84ddd3bf-9b1f-75c0-d592-f19980435ce6@canonical.com>","Date":"Fri, 15 Sep 2017 15:34:19 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"<20170911062338.9825-2-po-hsu.lin@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"multipart/mixed;\n\tboundary=\"===============4776501704133668198==\"","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"}}]