Patch "tunnels: Don't apply GRO to multiple layers of encapsulation" (CVE-2016-8666) is missing in 4.1 and 3.18 stable tree

Patch "tunnels: Don't apply GRO to multiple layers of encapsulation" (CVE-2016-8666) is missing in 4.1 and 3.18 stable tree

[Thomas Deutschmann]

[-- Attachment #1.1: Type: text/plain, Size: 1388 bytes --]

Hi,

the following patch was backported to the following LTS kernels

- >=4.4.29
- >=3.16.35


however it is missing from LTS kernels

- linux-4.1
- linux-3.18


> From fac8e0f579695a3ecbc4d3cac369139d7f819971 Mon Sep 17 00:00:00 2001
> From: Jesse Gross <jesse@kernel.org>
> Date: Sat, 19 Mar 2016 09:32:01 -0700
> Subject: [PATCH] tunnels: Don't apply GRO to multiple layers of encapsulation.
> 
> When drivers express support for TSO of encapsulated packets, they
> only mean that they can do it for one layer of encapsulation.
> Supporting additional levels would mean updating, at a minimum,
> more IP length fields and they are unaware of this.
> 
> No encapsulation device expresses support for handling offloaded
> encapsulated packets, so we won't generate these types of frames
> in the transmit path. However, GRO doesn't have a check for
> multiple levels of encapsulation and will attempt to build them.
> 
> UDP tunnel GRO actually does prevent this situation but it only
> handles multiple UDP tunnels stacked on top of each other. This
> generalizes that solution to prevent any kind of tunnel stacking
> that would cause problems.
> 
> Fixes: bf5a755f ("net-gre-gro: Add GRE support to the GRO stack")
> Signed-off-by: Jesse Gross <jesse@kernel.org>
> Signed-off-by: David S. Miller <davem@davemloft.net>


-- 
Regards,
Thomas


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 951 bytes --]

Re: Patch "tunnels: Don't apply GRO to multiple layers of encapsulation" (CVE-2016-8666) is missing in 4.1 and 3.18 stable tree

[Greg KH]

On Tue, Jan 10, 2017 at 03:09:28AM +0100, Thomas Deutschmann wrote:
> Hi,
> 
> the following patch was backported to the following LTS kernels
> 
> - >=4.4.29
> - >=3.16.35
> 
> 
> however it is missing from LTS kernels
> 
> - linux-4.1
> - linux-3.18

3.18 is (or should be), end-of-life now (Sasha, can we just kill it?
Please?)

4.1 is a bit slower release cycle, and again, Sasha will speak to that.

thanks,

greg k-h

Re: [E] Re: Patch "tunnels: Don't apply GRO to multiple layers of encapsulation" (CVE-2016-8666) is missing in 4.1 and 3.18 stable tree

[Seung-Woo Kim]

Hi,

On Fri, Jan 13, 2017 at 2:51 AM,  <alexander.levin@verizon.com> wrote:
> On Tue, Jan 10, 2017 at 07:45:48AM +0100, Greg KH wrote:
>> On Tue, Jan 10, 2017 at 03:09:28AM +0100, Thomas Deutschmann wrote:
>> > Hi,
>> >
>> > the following patch was backported to the following LTS kernels
>> >
>> > - >=4.4.29
>> > - >=3.16.35
>> >
>> >
>> > however it is missing from LTS kernels
>> >
>> > - linux-4.1
>> > - linux-3.18
>>
>> 3.18 is (or should be), end-of-life now (Sasha, can we just kill it?
>> Please?)
>>
>> 4.1 is a bit slower release cycle, and again, Sasha will speak to that.
>
> I'll add commit to both, and will do final release for 3.18 in a couple of days.

The commit is applied linux-4.1.y and linux-3.18.y, but it causes
build warning about unused function sit_gro_receive.

It seems that the following part of mainline commit is missed.

 static int ipv6_gro_complete(struct sk_buff *skb, int nhoff)
 {
  const struct net_offload *ops;
@@ -302,7 +315,7 @@ static struct packet_offload ipv6_packet
 static const struct net_offload sit_offload = {
  .callbacks = {
  .gso_segment = ipv6_gso_segment,
- .gro_receive    = ipv6_gro_receive,
+ .gro_receive    = sit_gro_receive,
  .gro_complete   = sit_gro_complete,
  },
 };

Thanks,
- Seung-Woo Kim

>
> --
>
> Thanks,
> Sasha--
> To unsubscribe from this list: send the line "unsubscribe stable" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [E] Re: Patch "tunnels: Don't apply GRO to multiple layers of encapsulation" (CVE-2016-8666) is missing in 4.1 and 3.18 stable tree

[Greg KH]

On Fri, Jan 20, 2017 at 08:14:23AM +0900, Seung-Woo Kim wrote:
> Hi,
> 
> On Fri, Jan 13, 2017 at 2:51 AM,  <alexander.levin@verizon.com> wrote:
> > On Tue, Jan 10, 2017 at 07:45:48AM +0100, Greg KH wrote:
> >> On Tue, Jan 10, 2017 at 03:09:28AM +0100, Thomas Deutschmann wrote:
> >> > Hi,
> >> >
> >> > the following patch was backported to the following LTS kernels
> >> >
> >> > - >=4.4.29
> >> > - >=3.16.35
> >> >
> >> >
> >> > however it is missing from LTS kernels
> >> >
> >> > - linux-4.1
> >> > - linux-3.18
> >>
> >> 3.18 is (or should be), end-of-life now (Sasha, can we just kill it?
> >> Please?)
> >>
> >> 4.1 is a bit slower release cycle, and again, Sasha will speak to that.
> >
> > I'll add commit to both, and will do final release for 3.18 in a couple of days.
> 
> The commit is applied linux-4.1.y and linux-3.18.y, but it causes
> build warning about unused function sit_gro_receive.
> 
> It seems that the following part of mainline commit is missed.
> 
>  static int ipv6_gro_complete(struct sk_buff *skb, int nhoff)
>  {
>   const struct net_offload *ops;
> @@ -302,7 +315,7 @@ static struct packet_offload ipv6_packet
>  static const struct net_offload sit_offload = {
>   .callbacks = {
>   .gso_segment = ipv6_gso_segment,
> - .gro_receive    = ipv6_gro_receive,
> + .gro_receive    = sit_gro_receive,
>   .gro_complete   = sit_gro_complete,
>   },
>  };

Ah, nice catch.

Sasha, want to add this to the trees and do another release?  Or I can
do it if you don't want to, for 3.18.y

thanks,

greg k-h