CVE-2023-53477

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: Add lwtunnel encap size of all siblings in nexthop calculation<br /> <br /> In function rt6_nlmsg_size(), the length of nexthop is calculated<br /> by multipling the nexthop length of fib6_info and the number of<br /> siblings. However if the fib6_info has no lwtunnel but the siblings<br /> have lwtunnels, the nexthop length is less than it should be, and<br /> it will trigger a warning in inet6_rt_notify() as follows:<br /> <br /> WARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130<br /> ......<br /> Call Trace:<br /> <br /> fib6_add_rt2node+0x685/0xa30<br /> fib6_add+0x96/0x1b0<br /> ip6_route_add+0x50/0xd0<br /> inet6_rtm_newroute+0x97/0xa0<br /> rtnetlink_rcv_msg+0x156/0x3d0<br /> netlink_rcv_skb+0x5a/0x110<br /> netlink_unicast+0x246/0x350<br /> netlink_sendmsg+0x250/0x4c0<br /> sock_sendmsg+0x66/0x70<br /> ___sys_sendmsg+0x7c/0xd0<br /> __sys_sendmsg+0x5d/0xb0<br /> do_syscall_64+0x3f/0x90<br /> entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> <br /> This bug can be reproduced by script:<br /> <br /> ip -6 addr add 2002::2/64 dev ens2<br /> ip -6 route add 100::/64 via 2002::1 dev ens2 metric 100<br /> <br /> for i in 10 20 30 40 50 60 70;<br /> do<br /> ip link add link ens2 name ipv_$i type ipvlan<br /> ip -6 addr add 2002::$i/64 dev ipv_$i<br /> ifconfig ipv_$i up<br /> done<br /> <br /> for i in 10 20 30 40 50 60;<br /> do<br /> ip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1<br /> dev ipv_$i metric 100<br /> done<br /> <br /> ip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100<br /> <br /> This patch fixes it by adding nexthop_len of every siblings using<br /> rt6_nh_nlmsg_size().