lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251201083228.70b70181@phoenix.local>
Date: Mon, 1 Dec 2025 08:32:28 -0800
From: Stephen Hemminger <stephen@...workplumber.org>
To: netdev@...r.kernel.org
Subject: Fw: [Bug 220820] New: net: tcp: avoid division by zero in
 __tcp_select_window



Begin forwarded message:

Date: Mon, 01 Dec 2025 10:26:14 +0000
From: bugzilla-daemon@...nel.org
To: stephen@...workplumber.org
Subject: [Bug 220820] New: net: tcp: avoid division by zero in __tcp_select_window


https://bugzilla.kernel.org/show_bug.cgi?id=220820

            Bug ID: 220820
           Summary: net: tcp: avoid division by zero in
                    __tcp_select_window
           Product: Networking
           Version: 2.5
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: IPV4
          Assignee: stephen@...workplumber.org
          Reporter: kitta@...ux.alibaba.com
        Regression: No

In the following kernel version:

name:linux
url:http://github.com/gregkh/linux.git
branch: master
commit: ac3fd01e4c1efce8f2c054cdeb2ddd2fc0fb150d

bug report:
------------[ cut here ]------------
UBSAN: division-overflow in net/ipv4/tcp_output.c:3333:13
division by zero
CPU: 0 UID: 0 PID: 4151 Comm: syz.0.268 Not tainted 6.18.0-rc7 #1 PREEMPT(none) 
Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x168/0x1f0 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:233 [inline]
 __ubsan_handle_divrem_overflow lib/ubsan.c:351 [inline]
 __ubsan_handle_divrem_overflow+0x1ae/0x2a0 lib/ubsan.c:333
 __tcp_select_window.cold+0x16/0x35 net/ipv4/tcp_output.c:3333
 tcp_select_window net/ipv4/tcp_output.c:280 [inline]
 __tcp_transmit_skb+0xca3/0x38b0 net/ipv4/tcp_output.c:1565
 tcp_transmit_skb net/ipv4/tcp_output.c:1646 [inline]
 tcp_send_active_reset+0x422/0x7e0 net/ipv4/tcp_output.c:3828
 mptcp_do_fastclose.part.0+0x158/0x1e0 net/mptcp/protocol.c:2792
 mptcp_do_fastclose net/mptcp/protocol.c:2779 [inline]
 mptcp_disconnect+0x2c6/0x9b0 net/mptcp/protocol.c:3252
 inet_shutdown+0x270/0x440 net/ipv4/af_inet.c:937
 __sys_shutdown_sock net/socket.c:2470 [inline]
 __sys_shutdown_sock net/socket.c:2464 [inline]
 __sys_shutdown+0x117/0x1b0 net/socket.c:2486
 __do_sys_shutdown net/socket.c:2491 [inline]
 __se_sys_shutdown net/socket.c:2489 [inline]
 __x64_sys_shutdown+0x54/0x80 net/socket.c:2489
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x6e/0x940 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7ff5e46fb4dd
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 8b 0d 6b 89 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ff5e31f0cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000030
RAX: ffffffffffffffda RBX: 00000000005c5fa0 RCX: 00007ff5e46fb4dd
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000005c5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000005c6038 R14: 0000000000000000 R15: 00007ff5e31f1640
 </TASK>
---[ end trace ]---
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 4151 Comm: syz.0.268 Not tainted 6.18.0-rc7 #1 PREEMPT(none) 
Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014
RIP: 0010:__tcp_select_window+0x58a/0x1240 net/ipv4/tcp_output.c:3333
Code: e3 0f 8c 8a 02 00 00 e8 34 dc a3 fd 8b 5c 24 0c 31 ff 89 de e8 c7 d5 a3
fd 85 db 0f 84 6c 9d 36 fd e8 1a dc a3 fd 44 89 f0 99 <f7> 7c 24 0c 41 29 d6 45
89 f4 e9 2a ff ff ff e8 02 dc a3 fd 48 89
RSP: 0018:ffff88800b5f7ae0 EFLAGS: 00010283
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90000d11000
RDX: 0000000000000000 RSI: ffffffff83f30a16 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: ffff888028a9f400 R14: 0000000000000000 R15: 0000000000000000
FS:  00007ff5e31f1640(0000) GS:ffff8880e70ab000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f711faa0 CR3: 000000001de2e003 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 80000000
Call Trace:
 <TASK>
 tcp_select_window net/ipv4/tcp_output.c:280 [inline]
 __tcp_transmit_skb+0xca3/0x38b0 net/ipv4/tcp_output.c:1565
 tcp_transmit_skb net/ipv4/tcp_output.c:1646 [inline]
 tcp_send_active_reset+0x422/0x7e0 net/ipv4/tcp_output.c:3828
 mptcp_do_fastclose.part.0+0x158/0x1e0 net/mptcp/protocol.c:2792
 mptcp_do_fastclose net/mptcp/protocol.c:2779 [inline]
 mptcp_disconnect+0x2c6/0x9b0 net/mptcp/protocol.c:3252
 inet_shutdown+0x270/0x440 net/ipv4/af_inet.c:937
 __sys_shutdown_sock net/socket.c:2470 [inline]
 __sys_shutdown_sock net/socket.c:2464 [inline]
 __sys_shutdown+0x117/0x1b0 net/socket.c:2486
 __do_sys_shutdown net/socket.c:2491 [inline]
 __se_sys_shutdown net/socket.c:2489 [inline]
 __x64_sys_shutdown+0x54/0x80 net/socket.c:2489
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x6e/0x940 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7ff5e46fb4dd
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 8b 0d 6b 89 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ff5e31f0cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000030
RAX: ffffffffffffffda RBX: 00000000005c5fa0 RCX: 00007ff5e46fb4dd
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000005c5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000005c6038 R14: 0000000000000000 R15: 00007ff5e31f1640
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__tcp_select_window+0x58a/0x1240 net/ipv4/tcp_output.c:3333
Code: e3 0f 8c 8a 02 00 00 e8 34 dc a3 fd 8b 5c 24 0c 31 ff 89 de e8 c7 d5 a3
fd 85 db 0f 84 6c 9d 36 fd e8 1a dc a3 fd 44 89 f0 99 <f7> 7c 24 0c 41 29 d6 45
89 f4 e9 2a ff ff ff e8 02 dc a3 fd 48 89
RSP: 0018:ffff88800b5f7ae0 EFLAGS: 00010283
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90000d11000
RDX: 0000000000000000 RSI: ffffffff83f30a16 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: ffff888028a9f400 R14: 0000000000000000 R15: 0000000000000000
FS:  00007ff5e31f1640(0000) GS:ffff8880e70ab000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f711faa0 CR3: 000000001de2e003 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 80000000
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:   0f 8c 8a 02 00 00       jl     0x290
   6:   e8 34 dc a3 fd          callq  0xfda3dc3f
   b:   8b 5c 24 0c             mov    0xc(%rsp),%ebx
   f:   31 ff                   xor    %edi,%edi
  11:   89 de                   mov    %ebx,%esi
  13:   e8 c7 d5 a3 fd          callq  0xfda3d5df
  18:   85 db                   test   %ebx,%ebx
  1a:   0f 84 6c 9d 36 fd       je     0xfd369d8c
  20:   e8 1a dc a3 fd          callq  0xfda3dc3f
  25:   44 89 f0                mov    %r14d,%eax
  28:   99                      cltd
* 29:   f7 7c 24 0c             idivl  0xc(%rsp) <-- trapping instruction
  2d:   41 29 d6                sub    %edx,%r14d
  30:   45 89 f4                mov    %r14d,%r12d
  33:   e9 2a ff ff ff          jmpq   0xffffff62
  38:   e8 02 dc a3 fd          callq  0xfda3dc3f
  3d:   48                      rex.W
  3e:   89                      .byte 0x89

<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>

division by zero
CPU: 0 UID: 0 PID: 4151 Comm: syz.0.268 Not tainted 6.18.0-rc7 #1 PREEMPT(none) 
Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x1f0
 __ubsan_handle_divrem_overflow+0x1ae/0x2a0
 __tcp_select_window.cold+0x16/0x35
 __tcp_transmit_skb+0xca3/0x38b0
 tcp_send_active_reset+0x422/0x7e0
 mptcp_do_fastclose.part.0+0x158/0x1e0
 mptcp_disconnect+0x2c6/0x9b0
 inet_shutdown+0x270/0x440
 __sys_shutdown+0x117/0x1b0
 __x64_sys_shutdown+0x54/0x80
 do_syscall_64+0x6e/0x940
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7ff5e46fb4dd
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 8b 0d 6b 89 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ff5e31f0cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000030
RAX: ffffffffffffffda RBX: 00000000005c5fa0 RCX: 00007ff5e46fb4dd
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000005c5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000005c6038 R14: 0000000000000000 R15: 00007ff5e31f1640
 </TASK>
---[ end trace ]---
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 4151 Comm: syz.0.268 Not tainted 6.18.0-rc7 #1 PREEMPT(none) 
Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014
RIP: 0010:__tcp_select_window+0x58a/0x1240
Code: e3 0f 8c 8a 02 00 00 e8 34 dc a3 fd 8b 5c 24 0c 31 ff 89 de e8 c7 d5 a3
fd 85 db 0f 84 6c 9d 36 fd e8 1a dc a3 fd 44 89 f0 99 <f7> 7c 24 0c 41 29 d6 45
89 f4 e9 2a ff ff ff e8 02 dc a3 fd 48 89
RSP: 0018:ffff88800b5f7ae0 EFLAGS: 00010283
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90000d11000
RDX: 0000000000000000 RSI: ffffffff83f30a16 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: ffff888028a9f400 R14: 0000000000000000 R15: 0000000000000000
FS:  00007ff5e31f1640(0000) GS:ffff8880e70ab000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f711faa0 CR3: 000000001de2e003 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 80000000
Call Trace:
 <TASK>
 __tcp_transmit_skb+0xca3/0x38b0
 tcp_send_active_reset+0x422/0x7e0
 mptcp_do_fastclose.part.0+0x158/0x1e0
 mptcp_disconnect+0x2c6/0x9b0
 inet_shutdown+0x270/0x440
 __sys_shutdown+0x117/0x1b0
 __x64_sys_shutdown+0x54/0x80
 do_syscall_64+0x6e/0x940
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7ff5e46fb4dd
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 8b 0d 6b 89 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ff5e31f0cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000030
RAX: ffffffffffffffda RBX: 00000000005c5fa0 RCX: 00007ff5e46fb4dd
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000005c5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000005c6038 R14: 0000000000000000 R15: 00007ff5e31f1640
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__tcp_select_window+0x58a/0x1240
Code: e3 0f 8c 8a 02 00 00 e8 34 dc a3 fd 8b 5c 24 0c 31 ff 89 de e8 c7 d5 a3
fd 85 db 0f 84 6c 9d 36 fd e8 1a dc a3 fd 44 89 f0 99 <f7> 7c 24 0c 41 29 d6 45
89 f4 e9 2a ff ff ff e8 02 dc a3 fd 48 89
RSP: 0018:ffff88800b5f7ae0 EFLAGS: 00010283
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90000d11000
RDX: 0000000000000000 RSI: ffffffff83f30a16 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: ffff888028a9f400 R14: 0000000000000000 R15: 0000000000000000
FS:  00007ff5e31f1640(0000) GS:ffff8880e70ab000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f711faa0 CR3: 000000001de2e003 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 80000000

<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ