| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Oct 2016 14:32:52 -0400 (EDT)
From: David Miller <davem@...emloft.net>
To: sd@...asysnail.net
Cc: netdev@...r.kernel.org, eric.dumazet@...il.com,
tom@...bertland.com, jbenc@...hat.com, hannes@...essinduktion.org
Subject: Re: [PATCH net v3] net: add recursion limit to GRO
From: Sabrina Dubroca <sd@...asysnail.net>
Date: Thu, 20 Oct 2016 15:58:02 +0200
> Currently, GRO can do unlimited recursion through the gro_receive
> handlers. This was fixed for tunneling protocols by limiting tunnel GRO
> to one level with encap_mark, but both VLAN and TEB still have this
> problem. Thus, the kernel is vulnerable to a stack overflow, if we
> receive a packet composed entirely of VLAN headers.
>
> This patch adds a recursion counter to the GRO layer to prevent stack
> overflow. When a gro_receive function hits the recursion limit, GRO is
> aborted for this skb and it is processed normally. This recursion
> counter is put in the GRO CB, but could be turned into a percpu counter
> if we run out of space in the CB.
>
> Thanks to Vladimír Beneš <vbenes@...hat.com> for the initial bug report.
>
> Fixes: CVE-2016-7039
> Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")
> Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan")
> Signed-off-by: Sabrina Dubroca <sd@...asysnail.net>
> Reviewed-by: Jiri Benc <jbenc@...hat.com>
> Acked-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
Applied and queued up for -stable, thanks!
Powered by blists - more mailing lists