| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251201104526.2711505-1-evan.li@linux.alibaba.com>
Date: Mon, 1 Dec 2025 18:45:26 +0800
From: Evan Li <evan.li@...ux.alibaba.com>
To: edumazet@...gle.com,
ncardwell@...gle.com,
kuniyu@...gle.com,
davem@...emloft.net,
dsahern@...nel.org,
kuba@...nel.org,
pabeni@...hat.com,
horms@...nel.org
Cc: netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
Evan Li <evan.li@...ux.alibaba.com>,
kitta <kitta@...ux.alibaba.com>
Subject: [PATCH] net: tcp: avoid division by zero in __tcp_select_window
We discovered a division-by-zero bug in __tcp_select_window() since
commit ae155060247b ("mptcp: fix duplicate reset on fastclose").
Under certain conditions during MPTCP fastclose, the mss value passed to
__tcp_select_window can be zero. The existing logic attempts to perform
rounddown(free_space, mss) without validating mss, leading to a division
operation in the helper (via do_div() or inline assembly) that triggers a
UBSAN overflow and kernel oops:
UBSAN: division-overflow in net/ipv4/tcp_output.c:3333:13
division by zero
RIP: __tcp_select_window+0x58a/0x1240
Call Trace:
__tcp_transmit_skb+0xca3/0x38b0
tcp_send_active_reset+0x422/0x7e0
mptcp_do_fastclose+0x158/0x1e0
...
The issue occurs when tcp_send_active_reset() is called on a subflow with
an unset or zero mss, which can happen during fastclose teardown due to
earlier state transitions.
This patch adds a guard to return 0 immediately if mss == 0, preventing
the unsafe rounding operation. This is safe because a zero MSS implies
invalid or uninitialized state, and returning zero window reflects that no
reliable data transmission can proceed.
Fixes: ae155060247b ("mptcp: fix duplicate reset on fastclose")
Reported-by: kitta <kitta@...ux.alibaba.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220820
Co-developed-by: kitta <kitta@...ux.alibaba.com>
Signed-off-by: Evan Li <evan.li@...ux.alibaba.com>
---
net/ipv4/tcp_output.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index b94efb3050d2..e6d2851a0ae9 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3329,9 +3329,11 @@ u32 __tcp_select_window(struct sock *sk)
* We also don't do any window rounding when the free space
* is too small.
*/
- if (window <= free_space - mss || window > free_space)
+ if (window <= free_space - mss || window > free_space) {
+ if (unlikely(mss == 0))
+ return 0; /* Prevent division by zero */
window = rounddown(free_space, mss);
- else if (mss == full_space &&
+ } else if (mss == full_space &&
free_space > window + (full_space >> 1))
window = free_space;
}
--
2.43.7
Powered by blists - more mailing lists