lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 31 Aug 2017 07:11:28 -0400
From:   Neal Cardwell <ncardwell@...gle.com>
To:     idaifish <idaifish@...il.com>
Cc:     David Miller <davem@...emloft.net>,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        Netdev <netdev@...r.kernel.org>, syzkaller@...glegroups.com,
        Wei Wang <weiwan@...gle.com>,
        Eric Dumazet <edumazet@...gle.com>
Subject: Re: net/ipv4: divide error in __tcp_select_window

On Thu, Aug 31, 2017 at 1:56 AM, idaifish <idaifish@...il.com> wrote:
> Hi:
>    This bug seems still can be triggered by the attached PoC on latest
> Ubuntu1604 (4.4.0-94-generic)
>
> ============================================================================
> divide error: 0000 [#1] SMP KASAN
> Modules linked in:
> CPU: 0 PID: 14933 Comm: syz-executor0 Not tainted 4.9.45 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> Ubuntu-1.8.2-1ubuntu1 04/01/2014
> task: ffff880076ab9900 task.stack: ffff880062ae8000
> RIP: 0010:[<ffffffff829c1df3>]  [<ffffffff829c1df3>]
> __tcp_select_window+0x2f3/0x6b0 net/ipv4/tcp_output.c:2499
...
>  [<ffffffff8297c36e>] tcp_cleanup_rbuf+0x43e/0x4f0 net/ipv4/tcp.c:1468
>  [<ffffffff829815df>] tcp_recvmsg+0xc2f/0x25d0 net/ipv4/tcp.c:1937

Thanks for the report. I believe this tcp_recvmsg  => tcp_cleanup_rbuf
 => __tcp_select_window divide-by-zero issue was fixed in May by Wei,
in:

 499350a5a6e7 tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
 https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?id=499350a5a6e7

Looks like we should probably mark this as a -stable candidate, so
that it will eventually make it to 4.4.y, 4.9.y, 4.12.y users, etc. (I
don't see the commit in those stable branches.)

thanks,
neal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ