Linux Kernel Stack Overflow Vulnerability in Bonding and Team Interfaces

A stack overflow vulnerability has been identified in the Linux kernel's handling of virtual network interfaces, specifically within bonding and team interface types. When the Large Receive Offload (LRO) feature is disabled for a virtual interface, the kernel attempts to propagate this change to lower interfaces. This process, however, inadvertently creates a recursive loop of notifications between upper and lower interfaces, leading to a stack overflow. The issue arises because the netdev notification system processes these events recursively instead of iteratively, causing the stack to overflow without creating an infinite loop.

Impact

Disabling LRO on a virtual interface can trigger a stack overflow, potentially leading to a denial of service by causing the system to run out of stack space and crash.

Reproduction

The vulnerability can be reproduced by creating a team interface (team0) and enabling LRO. Then, by adding multiple lower team interfaces (team1 to team200) and disabling LRO on the upper team interface (team0), the recursive notification loop is triggered, causing the stack overflow.

Remediation

The vulnerability has been addressed in the Linux kernel by introducing a notifier context member in the bonding and team structures, which prevents the recursive notification loop. Users should upgrade to the patched version of the kernel.