1384991 – (CVE-2016-8666) CVE-2016-8666 kernel: Remotely triggerable recursion in GRE code leading to kernel crash

Bug 1384991 (CVE-2016-8666) - CVE-2016-8666 kernel: Remotely triggerable recursion in GRE code leading to kernel crash

Summary: CVE-2016-8666 kernel: Remotely triggerable recursion in GRE code leading to k...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-8666
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1297504 1384995 1385715 1385716 1391425
Blocks:	1384998
TreeView+	depends on / blocked

Reported:	2016-10-14 13:57 UTC by Adam Mariš
Modified:	2021-02-17 03:11 UTC (History)
CC List:	32 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A flaw was found in the way the Linux kernel's networking subsystem handled offloaded packets with multiple layers of encapsulation in the GRO (Generic Receive Offload) code path. A remote attacker could use this flaw to trigger unbounded recursion in the kernel that could lead to stack corruption, resulting in a system crash.
Clone Of:
Environment:
Last Closed:	2019-06-08 03:00:15 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:0004	0	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2017-01-03 21:54:50 UTC

Description Adam Mariš 2016-10-14 13:57:41 UTC

Remotely triggerable unbounded recursion in GRE code was found. If a packet has the layout: IPv4 header | GRE header | IPv4 header | GRE header | ... depending on left over stack, it could run the kernel out of stack due to recursion and so crash the kernel.

Reproducer:

https://bugzilla.suse.com/show_bug.cgi?id=1001486#c5
https://bugzilla.suse.com/attachment.cgi?id=695327

Discussion threads:

https://marc.info/?t=145920955700002&r=1&w=2
https://marc.info/?t=145928865300005&r=1&w=2

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fac8e0f579695a3ecbc4d3cac369139d7f819971

CVE request+assignment:

http://seclists.org/oss-sec/2016/q4/121
http://seclists.org/oss-sec/2016/q4/125

Comment 1 Adam Mariš 2016-10-14 14:03:26 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1384995]

Comment 9 errata-xmlrpc 2017-01-03 16:55:28 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support

Via RHSA-2017:0004 https://rhn.redhat.com/errata/RHSA-2017-0004.html

Note You need to log in before you can comment on or make changes to this bug.

apmukher
aquini
arm-mgr
bhu
dhoward
fhrbata
gansalmon
iboverma
ichavero
itamar
jforbes
jkacur
joelsmith
jonathan
jross
jwboyer
kernel-maint
kernel-mgr
labbott
lgoncalv
madhu.chinakonda
matt
mchehab
mcressma
nmurray
pholasek
plougher
pmatouse
rt-maint
rvrbovsk
vdronov
williams