{"id":812226,"url":"http://patchwork.ozlabs.org/api/1.2/patches/812226/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170911062338.9825-2-po-hsu.lin@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.2/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20170911062338.9825-2-po-hsu.lin@canonical.com>","list_archive_url":null,"date":"2017-09-11T06:23:38","name":"[CVE-2017-14106,T/X/Z,SRU] tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"56e223337a7989ac147f9ee41391448b142bc4ff","submitter":{"id":70488,"url":"http://patchwork.ozlabs.org/api/1.2/people/70488/?format=json","name":"Po-Hsu Lin","email":"po-hsu.lin@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170911062338.9825-2-po-hsu.lin@canonical.com/mbox/","series":[{"id":2439,"url":"http://patchwork.ozlabs.org/api/1.2/series/2439/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=2439","date":"2017-09-11T06:23:38","name":"[CVE-2017-14106,T/X/Z,SRU] tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0","version":1,"mbox":"http://patchwork.ozlabs.org/series/2439/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/812226/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/812226/checks/","tags":{},"related":[],"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xrHty2F3Cz9sBZ;\n\tMon, 11 Sep 2017 16:23:54 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1drI8K-0008OL-E4; Mon, 11 Sep 2017 06:23:48 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from <po-hsu.lin@canonical.com>)\n\tid 1drI8I-0008Nj-QZ\n\tfor kernel-team@lists.ubuntu.com; Mon, 11 Sep 2017 06:23:46 +0000","from mail-pg0-f69.google.com ([74.125.83.69])\n\tby youngberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <po-hsu.lin@canonical.com>)\n\tid 1drI8I-00051X-FC\n\tfor kernel-team@lists.ubuntu.com; Mon, 11 Sep 2017 06:23:46 +0000","by mail-pg0-f69.google.com with SMTP id d8so15239404pgt.1\n\tfor <kernel-team@lists.ubuntu.com>;\n\tSun, 10 Sep 2017 23:23:46 -0700 (PDT)","from localhost.localdomain ([175.41.48.77])\n\tby smtp.gmail.com with ESMTPSA id\n\te185sm2929967pfg.142.2017.09.10.23.23.43\n\tfor <kernel-team@lists.ubuntu.com>\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tSun, 10 Sep 2017 23:23:44 -0700 (PDT)"],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:subject:date:message-id:in-reply-to\n\t:references;\n\tbh=1ZDWEzHb3/b+gqRMThnuJU4Egq996oYpS4KUiFVsmCc=;\n\tb=JYcT72u0oyvHriQDbgFwjoM/ORHiwQuUIh6fDdAVsTrkwaFizOIv7DnUeRmsfnS1TM\n\tohkoc6H4faAP9D+Rop9wTeW7ZH/0GIzVLZuizJZebYxtS2Gr/P+76kpXTMI3Y9aeM/fB\n\tg3RY23Mladwzv5I5jfOGhq15gYSxxsTOpbtLu4SssA/eoo2ZZbiGDWGo481B+4nyoTUz\n\tXqCHFt5pTk0oqjSekxVxYdgKeyHz0J0aBJP88R5Q4TPgQBCLJFzxagvxdKxv1F8N3oC8\n\tDewkZZm/a+HVc1frPPJXuu/n99M+AvovTMqxpNo9L/5VaWygFQDhZeNOuVQ1+bgs7gt2\n\tCBhA==","X-Gm-Message-State":"AHPjjUhFbmJPXSl0YE13+OVWx2dZmwVVsNuvR6l+D22NJk+/iD9ktJ+W\n\tuApBkPr03Jg68sJ77tYmHaGnoKNZCsPJ2fpXyU9YOFxUhCHJfgjkoML/iGqQ6z/qEgr6cEDqsli\n\tOACBWDy5ygUm+X+YPKRFl0aJWxshr25rO","X-Received":["by 10.98.87.23 with SMTP id l23mr11005141pfb.77.1505111025033;\n\tSun, 10 Sep 2017 23:23:45 -0700 (PDT)","by 10.98.87.23 with SMTP id l23mr11005135pfb.77.1505111024852;\n\tSun, 10 Sep 2017 23:23:44 -0700 (PDT)"],"X-Google-Smtp-Source":"ADKCNb6fexHEIwbCJaZ/oYETAfyiKr9BUsgUxK7W3vXmReoayonM9Mj8MKVbClqsEyYCSRCJ35yADA==","From":"Po-Hsu Lin <po-hsu.lin@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[CVE-2017-14106][T/X/Z SRU][PATCH] tcp: initialize rcv_mss to\n\tTCP_MIN_MSS instead of 0","Date":"Mon, 11 Sep 2017 14:23:38 +0800","Message-Id":"<20170911062338.9825-2-po-hsu.lin@canonical.com>","X-Mailer":"git-send-email 2.11.0","In-Reply-To":"<20170911062338.9825-1-po-hsu.lin@canonical.com>","References":"<20170911062338.9825-1-po-hsu.lin@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","MIME-Version":"1.0","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"From: Wei Wang <weiwan@google.com>\n\nCVE-2017-14106\n\nWhen tcp_disconnect() is called, inet_csk_delack_init() sets\nicsk->icsk_ack.rcv_mss to 0.\nThis could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>\n__tcp_select_window() call path to have division by 0 issue.\nSo this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.\n\nReported-by: Andrey Konovalov  <andreyknvl@google.com>\nSigned-off-by: Wei Wang <weiwan@google.com>\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nSigned-off-by: Neal Cardwell <ncardwell@google.com>\nSigned-off-by: Yuchung Cheng <ycheng@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>\n(cherry picked from commit 499350a5a6e7512d9ed369ed63a4244b6536f4f8)\nSigned-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>\n---\n net/ipv4/tcp.c | 4 ++++\n 1 file changed, 4 insertions(+)","diff":"diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c\nindex 16b5118..46c45a0 100644\n--- a/net/ipv4/tcp.c\n+++ b/net/ipv4/tcp.c\n@@ -2202,6 +2202,10 @@ int tcp_disconnect(struct sock *sk, int flags)\n \ttcp_set_ca_state(sk, TCP_CA_Open);\n \ttcp_clear_retrans(tp);\n \tinet_csk_delack_init(sk);\n+\t/* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0\n+\t * issue in __tcp_select_window()\n+\t */\n+\ticsk->icsk_ack.rcv_mss = TCP_MIN_MSS;\n \ttcp_init_send_head(sk);\n \tmemset(&tp->rx_opt, 0, sizeof(tp->rx_opt));\n \t__sk_dst_reset(sk);\n","prefixes":["CVE-2017-14106","T/X/Z","SRU"]}