Bug 1384991 (CVE-2016-8666) - CVE-2016-8666 kernel: Remotely triggerable recursion in GRE code leading to kernel crash
Summary: CVE-2016-8666 kernel: Remotely triggerable recursion in GRE code leading to k...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-8666
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1297504 1384995 1385715 1385716 1391425
Blocks: 1384998
TreeView+ depends on / blocked
 
Reported: 2016-10-14 13:57 UTC by Adam Mariš
Modified: 2021-02-17 03:11 UTC (History)
32 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the Linux kernel's networking subsystem handled offloaded packets with multiple layers of encapsulation in the GRO (Generic Receive Offload) code path. A remote attacker could use this flaw to trigger unbounded recursion in the kernel that could lead to stack corruption, resulting in a system crash.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:00:15 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0004 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-01-03 21:54:50 UTC

Description Adam Mariš 2016-10-14 13:57:41 UTC
Remotely triggerable unbounded recursion in GRE code was found. If a packet has the layout: IPv4 header | GRE header | IPv4 header | GRE header | ... depending on left over stack, it could run the kernel out of stack due to recursion and so crash the kernel.

Reproducer:

https://bugzilla.suse.com/show_bug.cgi?id=1001486#c5
https://bugzilla.suse.com/attachment.cgi?id=695327

Discussion threads:

https://marc.info/?t=145920955700002&r=1&w=2
https://marc.info/?t=145928865300005&r=1&w=2

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fac8e0f579695a3ecbc4d3cac369139d7f819971

CVE request+assignment:

http://seclists.org/oss-sec/2016/q4/121
http://seclists.org/oss-sec/2016/q4/125

Comment 1 Adam Mariš 2016-10-14 14:03:26 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1384995]

Comment 9 errata-xmlrpc 2017-01-03 16:55:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support

Via RHSA-2017:0004 https://rhn.redhat.com/errata/RHSA-2017-0004.html


Note You need to log in before you can comment on or make changes to this bug.