| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025100111-CVE-2023-53477-93d5@gregkh> Date: Wed, 1 Oct 2025 13:42:47 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53477: ipv6: Add lwtunnel encap size of all siblings in nexthop calculation From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: ipv6: Add lwtunnel encap size of all siblings in nexthop calculation In function rt6_nlmsg_size(), the length of nexthop is calculated by multipling the nexthop length of fib6_info and the number of siblings. However if the fib6_info has no lwtunnel but the siblings have lwtunnels, the nexthop length is less than it should be, and it will trigger a warning in inet6_rt_notify() as follows: WARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130 ...... Call Trace: <TASK> fib6_add_rt2node+0x685/0xa30 fib6_add+0x96/0x1b0 ip6_route_add+0x50/0xd0 inet6_rtm_newroute+0x97/0xa0 rtnetlink_rcv_msg+0x156/0x3d0 netlink_rcv_skb+0x5a/0x110 netlink_unicast+0x246/0x350 netlink_sendmsg+0x250/0x4c0 sock_sendmsg+0x66/0x70 ___sys_sendmsg+0x7c/0xd0 __sys_sendmsg+0x5d/0xb0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc This bug can be reproduced by script: ip -6 addr add 2002::2/64 dev ens2 ip -6 route add 100::/64 via 2002::1 dev ens2 metric 100 for i in 10 20 30 40 50 60 70; do ip link add link ens2 name ipv_$i type ipvlan ip -6 addr add 2002::$i/64 dev ipv_$i ifconfig ipv_$i up done for i in 10 20 30 40 50 60; do ip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1 dev ipv_$i metric 100 done ip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100 This patch fixes it by adding nexthop_len of every siblings using rt6_nh_nlmsg_size(). The Linux kernel CVE team has assigned CVE-2023-53477 to this issue. Affected and fixed versions =========================== Issue introduced in 4.11 with commit beb1afac518dec5a15dc92ba8f0ca016dcf457b4 and fixed in 5.4.235 with commit aba298b35619213ca787d08d472049627d8cd012 Issue introduced in 4.11 with commit beb1afac518dec5a15dc92ba8f0ca016dcf457b4 and fixed in 5.10.173 with commit da26369377f0b671c14692e2d65ceb38131053e1 Issue introduced in 4.11 with commit beb1afac518dec5a15dc92ba8f0ca016dcf457b4 and fixed in 5.15.100 with commit dcdddb5f490890d058ea1f194d661219e92fe88d Issue introduced in 4.11 with commit beb1afac518dec5a15dc92ba8f0ca016dcf457b4 and fixed in 6.1.18 with commit e11e4d524eba2d3c8fdf897d7ce3853f7573bae9 Issue introduced in 4.11 with commit beb1afac518dec5a15dc92ba8f0ca016dcf457b4 and fixed in 6.2.5 with commit aa75d826c221e8d48607aef33836cf872a159cf1 Issue introduced in 4.11 with commit beb1afac518dec5a15dc92ba8f0ca016dcf457b4 and fixed in 6.3 with commit 4cc59f386991ec9374cb4bc83dbe1c0b5a95033f Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53477 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ipv6/route.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/aba298b35619213ca787d08d472049627d8cd012 https://git.kernel.org/stable/c/da26369377f0b671c14692e2d65ceb38131053e1 https://git.kernel.org/stable/c/dcdddb5f490890d058ea1f194d661219e92fe88d https://git.kernel.org/stable/c/e11e4d524eba2d3c8fdf897d7ce3853f7573bae9 https://git.kernel.org/stable/c/aa75d826c221e8d48607aef33836cf872a159cf1 https://git.kernel.org/stable/c/4cc59f386991ec9374cb4bc83dbe1c0b5a95033f
Powered by blists - more mailing lists