Bug 1384991 (CVE-2016-8666)

Summary: CVE-2016-8666 kernel: Remotely triggerable recursion in GRE code leading to kernel crash
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apmukher, aquini, arm-mgr, bhu, dhoward, fhrbata, gansalmon, iboverma, ichavero, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, madhu.chinakonda, matt, mchehab, mcressma, nmurray, pholasek, plougher, pmatouse, rt-maint, rvrbovsk, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the Linux kernel's networking subsystem handled offloaded packets with multiple layers of encapsulation in the GRO (Generic Receive Offload) code path. A remote attacker could use this flaw to trigger unbounded recursion in the kernel that could lead to stack corruption, resulting in a system crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:00:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1297504, 1384995, 1385715, 1385716, 1391425    
Bug Blocks: 1384998    

Description Adam Mariš 2016-10-14 13:57:41 UTC 
Remotely triggerable unbounded recursion in GRE code was found. If a packet has the layout: IPv4 header | GRE header | IPv4 header | GRE header | ... depending on left over stack, it could run the kernel out of stack due to recursion and so crash the kernel.

Reproducer:

https://bugzilla.suse.com/show_bug.cgi?id=1001486#c5
https://bugzilla.suse.com/attachment.cgi?id=695327

Discussion threads:

https://marc.info/?t=145920955700002&r=1&w=2
https://marc.info/?t=145928865300005&r=1&w=2

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fac8e0f579695a3ecbc4d3cac369139d7f819971

CVE request+assignment:

http://seclists.org/oss-sec/2016/q4/121
http://seclists.org/oss-sec/2016/q4/125
Comment 1 Adam Mariš 2016-10-14 14:03:26 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1384995]
Comment 9 errata-xmlrpc 2017-01-03 16:55:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support

Via RHSA-2017:0004 https://rhn.redhat.com/errata/RHSA-2017-0004.html