commit 77c1090 "net: fix infinite loop in __skb_recv_datagram()" should go into 3.4 and 3.7 stable

Fri, 15 Feb 2013 13:04:58 -0800 

CVE-2013-0290

Both 3.4 and 3.7 have the commit that causes this problem.

commit 77c1090f94d1b0b5186fb13a1b71b47b1343f87f
Author: Eric Dumazet <eduma...@google.com>
Date:   Tue Feb 12 06:16:53 2013 +0000

    net: fix infinite loop in __skb_recv_datagram()
    
    Tommi was fuzzing with trinity and reported the following problem :
    
    commit 3f518bf745 (datagram: Add offset argument to __skb_recv_datagram)
    missed that a raw socket receive queue can contain skbs with no payload.
    
    We can loop in __skb_recv_datagram() with MSG_PEEK mode, because
    wait_for_packet() is not prepared to skip these skbs.
    
    [   83.541011] INFO: rcu_sched detected stalls on CPUs/tasks: {}
    (detected by 0, t=26002 jiffies, g=27673, c=27672, q=75)
    [   83.541011] INFO: Stall ended before state dump start
    [  108.067010] BUG: soft lockup - CPU#0 stuck for 22s! 
[trinity-child31:2847]
    ...
    [  108.067010] Call Trace:
    [  108.067010]  [<ffffffff818cc103>] __skb_recv_datagram+0x1a3/0x3b0
    [  108.067010]  [<ffffffff818cc33d>] skb_recv_datagram+0x2d/0x30
    [  108.067010]  [<ffffffff819ed43d>] rawv6_recvmsg+0xad/0x240
    [  108.067010]  [<ffffffff818c4b04>] sock_common_recvmsg+0x34/0x50
    [  108.067010]  [<ffffffff818bc8ec>] sock_recvmsg+0xbc/0xf0
    [  108.067010]  [<ffffffff818bf31e>] sys_recvfrom+0xde/0x150
    [  108.067010]  [<ffffffff81ca4329>] system_call_fastpath+0x16/0x1b
    
    Reported-by: Tommi Rantala <tt.rant...@gmail.com>
    Tested-by: Tommi Rantala <tt.rant...@gmail.com>
    Signed-off-by: Eric Dumazet <eduma...@google.com>
    Cc: Pavel Emelyanov <xe...@parallels.com>
    Acked-by: Pavel Emelyanov <xe...@parallels.com>
    Signed-off-by: David S. Miller <da...@davemloft.net>

diff --git a/net/core/datagram.c b/net/core/datagram.c
index 0337e2b..368f9c3 100644
--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -187,7 +187,7 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, 
unsigned int flags,
                skb_queue_walk(queue, skb) {
                        *peeked = skb->peeked;
                        if (flags & MSG_PEEK) {
-                               if (*off >= skb->len) {
+                               if (*off >= skb->len && skb->len) {
                                        *off -= skb->len;
                                        continue;
                                }
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to