Issue 762451 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	groeck@chromium.org
Closed:	Sep 2017
Cc:	█ keta...@chromium.org chromeos-kernel-security-bug-access@google.com
Components:	OS>Kernel
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	1
Type:	Bug-Security
Hotlist-Merge-Review merge-merged-chromeos-3.18 merge-merged-chromeos-3.10 Vomit Security_Impact-Stable Security_Severity-Medium merge-merged-chromeos-3.14 merge-merged-chromeos-3.8 allpublic merge-merged-chromeos-4.4 M-65 merge-merged-release-R60-9592.B-chromeos-4.4 merge-merged-release-R61-9765.B-chromeos-4.4 merge-merged-release-R61-9765.B-chromeos-3.10 merge-merged-release-R61-9765.B-chromeos-3.8 merge-merged-release-R61-9765.B-chromeos-3.14 merge-merged-release-R61-9765.B-chromeos-3.18 merge-merged-release-R62-9901.B-chromeos-4.4 merge-merged-release-R62-9901.B-chromeos-3.8 merge-merged-release-R62-9901.B-chromeos-3.18 merge-merged-release-R62-9901.B-chromeos-3.10 merge-merged-release-R62-9901.B-chromeos-3.14

CVE-2017-14106 CrOS: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Sep 6 2017

Issue description

VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2017-14106
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-14106
  CVSS severity score: 4.9/10.0
  Description:

The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by groeck@chromium.org, Sep 6 2017

Labels: Security_Severity-Medium Security_Impact-Stable M-61 Pri-1
Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)

Upstream 499350a5a6e ("tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0"). Needed in all kernel versions.

Comment 2 by groeck@chromium.org, Sep 6 2017

Status: Started (was: Assigned)

Project Member

Comment 3 by bugdroid1@chromium.org, Sep 6 2017

Labels: merge-merged-chromeos-4.4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c4bfb572060037be796fd4bd364a56bd05295a1f

commit c4bfb572060037be796fd4bd364a56bd05295a1f
Author: Wei Wang <weiwan@google.com>
Date: Wed Sep 06 23:54:33 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652667
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/c4bfb572060037be796fd4bd364a56bd05295a1f/net/ipv4/tcp.c

Project Member

Comment 4 by bugdroid1@chromium.org, Sep 7 2017

Labels: merge-merged-chromeos-3.8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a0928e96f21c88202e1fab182b57bd0e6ecc224a

commit a0928e96f21c88202e1fab182b57bd0e6ecc224a
Author: Wei Wang <weiwan@google.com>
Date: Thu Sep 07 02:12:59 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652170

[modify] https://crrev.com/a0928e96f21c88202e1fab182b57bd0e6ecc224a/net/ipv4/tcp.c

Project Member

Comment 5 by bugdroid1@chromium.org, Sep 7 2017

Labels: merge-merged-chromeos-3.14

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a4316a1f1d2fc99220da7338fa1c83d80dd25f40

commit a4316a1f1d2fc99220da7338fa1c83d80dd25f40
Author: Wei Wang <weiwan@google.com>
Date: Thu Sep 07 02:13:01 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652168

[modify] https://crrev.com/a4316a1f1d2fc99220da7338fa1c83d80dd25f40/net/ipv4/tcp.c

Project Member

Comment 6 by bugdroid1@chromium.org, Sep 7 2017

Labels: merge-merged-chromeos-3.18

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c33525a32afb6e8978f5bd9c63c575e0514ae341

commit c33525a32afb6e8978f5bd9c63c575e0514ae341
Author: Wei Wang <weiwan@google.com>
Date: Thu Sep 07 02:13:02 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652167

[modify] https://crrev.com/c33525a32afb6e8978f5bd9c63c575e0514ae341/net/ipv4/tcp.c

Project Member

Comment 7 by sheriffbot@chromium.org, Sep 7 2017

Status: Fixed (was: Started)

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 8 by bugdroid1@chromium.org, Sep 8 2017

Labels: merge-merged-chromeos-3.10

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/bed3b6c194dd0185152c3b741ad826d69e9cd089

commit bed3b6c194dd0185152c3b741ad826d69e9cd089
Author: Wei Wang <weiwan@google.com>
Date: Fri Sep 08 04:21:39 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652169

[modify] https://crrev.com/bed3b6c194dd0185152c3b741ad826d69e9cd089/net/ipv4/tcp.c

Project Member

Comment 9 by sheriffbot@chromium.org, Sep 8 2017

Labels: Restrict-View-SecurityNotify

Comment 10 by groeck@chromium.org, Sep 8 2017

Labels: Merge-Request-61

Project Member

Comment 11 by sheriffbot@chromium.org, Sep 8 2017

Labels: -Merge-Request-61 Merge-Review-61 Hotlist-Merge-Review

This bug requires manual review: Request affecting a post-stable build
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 12 by keta...@chromium.org, Sep 8 2017

Labels: -Merge-Review-61 Merge-Approved-61

Approving merge to M61.

Project Member

Comment 13 by bugdroid1@chromium.org, Sep 8 2017

Labels: merge-merged-release-R62-9901.B-chromeos-4.4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0b239c96af691b0a71ace6b0535b279c1da21567

commit 0b239c96af691b0a71ace6b0535b279c1da21567
Author: Wei Wang <weiwan@google.com>
Date: Fri Sep 08 19:44:01 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652667
Reviewed-by: Dylan Reid <dgreid@chromium.org>
(cherry picked from commit c4bfb572060037be796fd4bd364a56bd05295a1f)
Reviewed-on: https://chromium-review.googlesource.com/658124

[modify] https://crrev.com/0b239c96af691b0a71ace6b0535b279c1da21567/net/ipv4/tcp.c

Project Member

Comment 14 by bugdroid1@chromium.org, Sep 8 2017

Labels: merge-merged-release-R62-9901.B-chromeos-3.8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5c3309ff43dad0acf763ac47f6c5c1214e4b4823

commit 5c3309ff43dad0acf763ac47f6c5c1214e4b4823
Author: Wei Wang <weiwan@google.com>
Date: Fri Sep 08 19:44:05 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652170
(cherry picked from commit a0928e96f21c88202e1fab182b57bd0e6ecc224a)
Reviewed-on: https://chromium-review.googlesource.com/658132

[modify] https://crrev.com/5c3309ff43dad0acf763ac47f6c5c1214e4b4823/net/ipv4/tcp.c

Project Member

Comment 15 by bugdroid1@chromium.org, Sep 8 2017

Labels: merge-merged-release-R61-9765.B-chromeos-3.8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d4372fdb8467acb0dddca0c9ea3a6affdd13df8e

commit d4372fdb8467acb0dddca0c9ea3a6affdd13df8e
Author: Wei Wang <weiwan@google.com>
Date: Fri Sep 08 19:44:08 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652170
(cherry picked from commit a0928e96f21c88202e1fab182b57bd0e6ecc224a)
Reviewed-on: https://chromium-review.googlesource.com/658131

[modify] https://crrev.com/d4372fdb8467acb0dddca0c9ea3a6affdd13df8e/net/ipv4/tcp.c

Project Member

Comment 16 by bugdroid1@chromium.org, Sep 8 2017

Labels: merge-merged-release-R61-9765.B-chromeos-3.18

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5410305c3af5857c26f6d40cf65bb20427385d8c

commit 5410305c3af5857c26f6d40cf65bb20427385d8c
Author: Wei Wang <weiwan@google.com>
Date: Fri Sep 08 19:44:11 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652167
(cherry picked from commit c33525a32afb6e8978f5bd9c63c575e0514ae341)
Reviewed-on: https://chromium-review.googlesource.com/658125

[modify] https://crrev.com/5410305c3af5857c26f6d40cf65bb20427385d8c/net/ipv4/tcp.c

Project Member

Comment 17 by bugdroid1@chromium.org, Sep 8 2017

Labels: merge-merged-release-R62-9901.B-chromeos-3.18

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a6d170915193b470b58791020064760dd921786b

commit a6d170915193b470b58791020064760dd921786b
Author: Wei Wang <weiwan@google.com>
Date: Fri Sep 08 19:44:15 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652167
(cherry picked from commit c33525a32afb6e8978f5bd9c63c575e0514ae341)
Reviewed-on: https://chromium-review.googlesource.com/658126

[modify] https://crrev.com/a6d170915193b470b58791020064760dd921786b/net/ipv4/tcp.c

Project Member

Comment 18 by bugdroid1@chromium.org, Sep 8 2017

Labels: merge-merged-release-R62-9901.B-chromeos-3.10

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/97ccf3ffbce4b74dc086235f965cc9800b362b16

commit 97ccf3ffbce4b74dc086235f965cc9800b362b16
Author: Wei Wang <weiwan@google.com>
Date: Fri Sep 08 19:44:19 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652169
(cherry picked from commit bed3b6c194dd0185152c3b741ad826d69e9cd089)
Reviewed-on: https://chromium-review.googlesource.com/658130

[modify] https://crrev.com/97ccf3ffbce4b74dc086235f965cc9800b362b16/net/ipv4/tcp.c

Project Member

Comment 19 by bugdroid1@chromium.org, Sep 8 2017

Labels: merge-merged-release-R62-9901.B-chromeos-3.14

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d9660e0dec1f9a0172a216b917deaaadb025c0bc

commit d9660e0dec1f9a0172a216b917deaaadb025c0bc
Author: Wei Wang <weiwan@google.com>
Date: Fri Sep 08 19:44:22 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652168
(cherry picked from commit a4316a1f1d2fc99220da7338fa1c83d80dd25f40)
Reviewed-on: https://chromium-review.googlesource.com/658128

[modify] https://crrev.com/d9660e0dec1f9a0172a216b917deaaadb025c0bc/net/ipv4/tcp.c

Project Member

Comment 20 by bugdroid1@chromium.org, Sep 8 2017

Labels: merge-merged-release-R61-9765.B-chromeos-3.14

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/774c987e26ff060068ec291fdd13ce0f7845f175

commit 774c987e26ff060068ec291fdd13ce0f7845f175
Author: Wei Wang <weiwan@google.com>
Date: Fri Sep 08 19:44:25 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652168
(cherry picked from commit a4316a1f1d2fc99220da7338fa1c83d80dd25f40)
Reviewed-on: https://chromium-review.googlesource.com/658127

[modify] https://crrev.com/774c987e26ff060068ec291fdd13ce0f7845f175/net/ipv4/tcp.c

Project Member

Comment 21 by bugdroid1@chromium.org, Sep 8 2017

Labels: merge-merged-release-R61-9765.B-chromeos-4.4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/94c75a2c0f7294fa5f16ab6114098d6f09af3a38

commit 94c75a2c0f7294fa5f16ab6114098d6f09af3a38
Author: Wei Wang <weiwan@google.com>
Date: Fri Sep 08 19:44:29 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652667
Reviewed-by: Dylan Reid <dgreid@chromium.org>
(cherry picked from commit c4bfb572060037be796fd4bd364a56bd05295a1f)
Reviewed-on: https://chromium-review.googlesource.com/658123

[modify] https://crrev.com/94c75a2c0f7294fa5f16ab6114098d6f09af3a38/net/ipv4/tcp.c

Project Member

Comment 22 by bugdroid1@chromium.org, Sep 8 2017

Labels: merge-merged-release-R61-9765.B-chromeos-3.10

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/fdb938ce8f88ec6ac6a667581879a14e54cb74ac

commit fdb938ce8f88ec6ac6a667581879a14e54cb74ac
Author: Wei Wang <weiwan@google.com>
Date: Fri Sep 08 19:44:32 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652169
(cherry picked from commit bed3b6c194dd0185152c3b741ad826d69e9cd089)
Reviewed-on: https://chromium-review.googlesource.com/658129

[modify] https://crrev.com/fdb938ce8f88ec6ac6a667581879a14e54cb74ac/net/ipv4/tcp.c

Project Member

Comment 23 by sheriffbot@chromium.org, Sep 12 2017

Cc: keta...@chromium.org

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 24 by groeck@chromium.org, Sep 12 2017

Labels: -Merge-Approved-61

Project Member

Comment 25 by bugdroid1@chromium.org, Sep 12 2017

Labels: merge-merged-release-R60-9592.B-chromeos-4.4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/03fd4b865e5bbef57deef31599ee4bf80cf03165

commit 03fd4b865e5bbef57deef31599ee4bf80cf03165
Author: Wei Wang <weiwan@google.com>
Date: Tue Sep 12 17:54:07 2017

UPSTREAM: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

BUG= chromium:762451 
TEST=Build and run

Change-Id: Iecc4a1e302ff72a9763b9ca6dac7dc44d588a6d1
Reported-by: Andrey Konovalov  <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 499350a5a6e)
Reviewed-on: https://chromium-review.googlesource.com/652667
Reviewed-by: Dylan Reid <dgreid@chromium.org>
(cherry picked from commit c4bfb572060037be796fd4bd364a56bd05295a1f)
Reviewed-on: https://chromium-review.googlesource.com/661797
Tested-by: Daniel Wang <wonderfly@google.com>
Commit-Queue: Daniel Wang <wonderfly@google.com>

[modify] https://crrev.com/03fd4b865e5bbef57deef31599ee4bf80cf03165/net/ipv4/tcp.c

Project Member

Comment 26 by sheriffbot@chromium.org, Dec 14 2017

Labels: -Restrict-View-SecurityNotify allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 27 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Comment 28 by dchan@chromium.org, Jan 23 2018

Status: Fixed (was: Archived)

Project Member

Comment 29 by sheriffbot@chromium.org, Mar 27 2018

Labels: -M-61 M-65

►

Issue 762451 link

Issue metadata

CVE-2017-14106 CrOS: Vulnerability reported in Linux kernel

Issue description

Comment 1 by groeck@chromium.org, Sep 6 2017

Comment 1 Deleted

Comment 2 by groeck@chromium.org, Sep 6 2017

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Sep 6 2017

Comment 3 Deleted

Comment 4 by bugdroid1@chromium.org, Sep 7 2017

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Sep 7 2017

Comment 5 Deleted

Comment 6 by bugdroid1@chromium.org, Sep 7 2017

Comment 6 Deleted

Comment 7 by sheriffbot@chromium.org, Sep 7 2017

Comment 7 Deleted

Comment 8 by bugdroid1@chromium.org, Sep 8 2017

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, Sep 8 2017

Comment 9 Deleted

Comment 10 by groeck@chromium.org, Sep 8 2017

Comment 10 Deleted

Comment 11 by sheriffbot@chromium.org, Sep 8 2017

Comment 11 Deleted

Comment 12 by keta...@chromium.org, Sep 8 2017

Comment 12 Deleted

Comment 13 by bugdroid1@chromium.org, Sep 8 2017

Comment 13 Deleted

Comment 14 by bugdroid1@chromium.org, Sep 8 2017

Comment 14 Deleted

Comment 15 by bugdroid1@chromium.org, Sep 8 2017

Comment 15 Deleted

Comment 16 by bugdroid1@chromium.org, Sep 8 2017

Comment 16 Deleted

Comment 17 by bugdroid1@chromium.org, Sep 8 2017

Comment 17 Deleted

Comment 18 by bugdroid1@chromium.org, Sep 8 2017

Comment 18 Deleted

Comment 19 by bugdroid1@chromium.org, Sep 8 2017

Comment 19 Deleted

Comment 20 by bugdroid1@chromium.org, Sep 8 2017

Comment 20 Deleted

Comment 21 by bugdroid1@chromium.org, Sep 8 2017

Comment 21 Deleted

Comment 22 by bugdroid1@chromium.org, Sep 8 2017

Comment 22 Deleted

Comment 23 by sheriffbot@chromium.org, Sep 12 2017

Comment 23 Deleted

Comment 24 by groeck@chromium.org, Sep 12 2017

Comment 24 Deleted

Comment 25 by bugdroid1@chromium.org, Sep 12 2017

Comment 25 Deleted

Comment 26 by sheriffbot@chromium.org, Dec 14 2017

Comment 26 Deleted

Comment 27 by dchan@chromium.org, Jan 22 2018

Comment 27 Deleted

Comment 28 by dchan@chromium.org, Jan 23 2018

Comment 28 Deleted

Comment 29 by sheriffbot@chromium.org, Mar 27 2018

Comment 29 Deleted

Sign in to add a comment