CVE-2025-71096

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly<br /> <br /> The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a<br /> LS_NLA_TYPE_DGID attribute, it is invalid if it does not.<br /> <br /> Use the nl parsing logic properly and call nla_parse_deprecated() to fill<br /> the nlattrs array and then directly index that array to get the data for<br /> the DGID. Just fail if it is NULL.<br /> <br /> Remove the for loop searching for the nla, and squash the validation and<br /> parsing into one function.<br /> <br /> Fixes an uninitialized read from the stack triggered by userspace if it<br /> does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE<br /> query.<br /> <br /> BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]<br /> BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490<br /> hex_byte_pack include/linux/hex.h:13 [inline]<br /> ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490<br /> ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509<br /> ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633<br /> pointer+0xc09/0x1bd0 lib/vsprintf.c:2542<br /> vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930<br /> vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279<br /> vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426<br /> vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465<br /> vprintk+0x36/0x50 kernel/printk/printk_safe.c:82<br /> _printk+0x17e/0x1b0 kernel/printk/printk.c:2475<br /> ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]<br /> ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141<br /> rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]<br /> rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]<br /> rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]<br /> netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346<br /> netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896<br /> sock_sendmsg_nosec net/socket.c:714 [inline]<br /> __sock_sendmsg+0x333/0x3d0 net/socket.c:729<br /> ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617<br /> ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671<br /> __sys_sendmsg+0x1aa/0x300 net/socket.c:2703<br /> __compat_sys_sendmsg net/compat.c:346 [inline]<br /> __do_compat_sys_sendmsg net/compat.c:353 [inline]<br /> __se_compat_sys_sendmsg net/compat.c:350 [inline]<br /> __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350<br /> ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371<br /> do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]<br /> __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306<br /> do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331<br /> do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3