| Message ID | 20170825110355.2913-2-kleber.souza@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 25/08/17 12:03, Kleber Sacilotto de Souza wrote: > From: Eric Dumazet <edumazet@google.com> > > CVE-2017-6214 > > Splicing from TCP socket is vulnerable when a packet with URG flag is > received and stored into receive queue. > > __tcp_splice_read() returns 0, and sk_wait_data() immediately > returns since there is the problematic skb in queue. > > This is a nice way to burn cpu (aka infinite loop) and trigger > soft lockups. > > Again, this gem was found by syzkaller tool. > > Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.") > Signed-off-by: Eric Dumazet <edumazet@google.com> > Reported-by: Dmitry Vyukov <dvyukov@google.com> > Cc: Willy Tarreau <w@1wt.eu> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit ccf7abb93af09ad0868ae9033d1ca8108bdaec82) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > net/ipv4/tcp.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c > index dd0655938f2d..16b5118d334f 100644 > --- a/net/ipv4/tcp.c > +++ b/net/ipv4/tcp.c > @@ -723,6 +723,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos, > ret = -EAGAIN; > break; > } > + /* if __tcp_splice_read() got nothing while we have > + * an skb in receive queue, we do not want to loop. > + * This might happen with URG data. > + */ > + if (!skb_queue_empty(&sk->sk_receive_queue)) > + break; > sk_wait_data(sk, &timeo, NULL); > if (signal_pending(current)) { > ret = sock_intr_errno(timeo); > Clean cherry pick, looks sane to me Acked-by: Colin Ian King <colin.king@canonical.com>
On 25.08.2017 13:03, Kleber Sacilotto de Souza wrote: > From: Eric Dumazet <edumazet@google.com> > > CVE-2017-6214 > > Splicing from TCP socket is vulnerable when a packet with URG flag is > received and stored into receive queue. > > __tcp_splice_read() returns 0, and sk_wait_data() immediately > returns since there is the problematic skb in queue. > > This is a nice way to burn cpu (aka infinite loop) and trigger > soft lockups. > > Again, this gem was found by syzkaller tool. > > Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.") > Signed-off-by: Eric Dumazet <edumazet@google.com> > Reported-by: Dmitry Vyukov <dvyukov@google.com> > Cc: Willy Tarreau <w@1wt.eu> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit ccf7abb93af09ad0868ae9033d1ca8108bdaec82) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > net/ipv4/tcp.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c > index dd0655938f2d..16b5118d334f 100644 > --- a/net/ipv4/tcp.c > +++ b/net/ipv4/tcp.c > @@ -723,6 +723,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos, > ret = -EAGAIN; > break; > } > + /* if __tcp_splice_read() got nothing while we have > + * an skb in receive queue, we do not want to loop. > + * This might happen with URG data. > + */ > + if (!skb_queue_empty(&sk->sk_receive_queue)) > + break; > sk_wait_data(sk, &timeo, NULL); > if (signal_pending(current)) { > ret = sock_intr_errno(timeo); >
Applied on trusty/master-next branch. Thanks.
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index dd0655938f2d..16b5118d334f 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -723,6 +723,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos, ret = -EAGAIN; break; } + /* if __tcp_splice_read() got nothing while we have + * an skb in receive queue, we do not want to loop. + * This might happen with URG data. + */ + if (!skb_queue_empty(&sk->sk_receive_queue)) + break; sk_wait_data(sk, &timeo, NULL); if (signal_pending(current)) { ret = sock_intr_errno(timeo);