Linux Kernel Tunnel Recursion Limit Vulnerability Causes Stack Overflow

A vulnerability in the Linux kernel's tunnel transmission functions (iptunnel_xmit and ip6tunnel_xmit) can lead to a stack overflow. This issue arises when a bond device in broadcast mode has GRE tap interfaces as slaves, and those tunnels route back through the bond. The resulting multicast or broadcast traffic creates an infinite recursion between bond_xmit_broadcast and the tunnel xmit functions, causing a kernel stack overflow. The default recursion limit is inadequate for tunnel operations, which involve route lookups and full IP processing, consuming more stack space. The vulnerability has been addressed by introducing a lower recursion limit specifically for IP tunnels and adding recursion detection to prevent such infinite loops.

Impact

The vulnerability can be exploited to cause a kernel stack overflow, leading to a denial of service condition.

Reproduction

To reproduce this vulnerability, create a bond device in broadcast mode and add GRE tap interfaces as slaves. Ensure that the GRE tunnels route back through the bond. When multicast or broadcast traffic is sent, it will trigger an infinite recursion between the bonding and tunnel functions, causing a stack overflow.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.