From: Sabrina Dubroca <s...@queasysnail.net>
Date: Thu, 20 Oct 2016 15:58:02 +0200
> Currently, GRO can do unlimited recursion through the gro_receive
> handlers. This was fixed for tunneling protocols by limiting tunnel GRO
> to one level with encap_mark, but both VLAN and TEB still have this
> problem. Thus, the kernel is vulnerable to a stack overflow, if we
> receive a packet composed entirely of VLAN headers.
>
> This patch adds a recursion counter to the GRO layer to prevent stack
> overflow. When a gro_receive function hits the recursion limit, GRO is
> aborted for this skb and it is processed normally. This recursion
> counter is put in the GRO CB, but could be turned into a percpu counter
> if we run out of space in the CB.
>
> Thanks to Vladimír Beneš <vbe...@redhat.com> for the initial bug report.
>
> Fixes: CVE-2016-7039
> Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")
> Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated
> vlan")
> Signed-off-by: Sabrina Dubroca <s...@queasysnail.net>
> Reviewed-by: Jiri Benc <jb...@redhat.com>
> Acked-by: Hannes Frederic Sowa <han...@stressinduktion.org>
Applied and queued up for -stable, thanks!
