CVE-2023-53798
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
09/12/2025
Última modificación:
09/12/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ethtool: Fix uninitialized number of lanes<br />
<br />
It is not possible to set the number of lanes when setting link modes<br />
using the legacy IOCTL ethtool interface. Since &#39;struct<br />
ethtool_link_ksettings&#39; is not initialized in this path, drivers receive<br />
an uninitialized number of lanes in &#39;struct<br />
ethtool_link_ksettings::lanes&#39;.<br />
<br />
When this information is later queried from drivers, it results in the<br />
ethtool code making decisions based on uninitialized memory, leading to<br />
the following KMSAN splat [1]. In practice, this most likely only<br />
happens with the tun driver that simply returns whatever it got in the<br />
set operation.<br />
<br />
As far as I can tell, this uninitialized memory is not leaked to user<br />
space thanks to the &#39;ethtool_ops->cap_link_lanes_supported&#39; check in<br />
linkmodes_prepare_data().<br />
<br />
Fix by initializing the structure in the IOCTL path. Did not find any<br />
more call sites that pass an uninitialized structure when calling<br />
&#39;ethtool_ops::set_link_ksettings()&#39;.<br />
<br />
[1]<br />
BUG: KMSAN: uninit-value in ethnl_update_linkmodes net/ethtool/linkmodes.c:273 [inline]<br />
BUG: KMSAN: uninit-value in ethnl_set_linkmodes+0x190b/0x19d0 net/ethtool/linkmodes.c:333<br />
ethnl_update_linkmodes net/ethtool/linkmodes.c:273 [inline]<br />
ethnl_set_linkmodes+0x190b/0x19d0 net/ethtool/linkmodes.c:333<br />
ethnl_default_set_doit+0x88d/0xde0 net/ethtool/netlink.c:640<br />
genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline]<br />
genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]<br />
genl_rcv_msg+0x141a/0x14c0 net/netlink/genetlink.c:1065<br />
netlink_rcv_skb+0x3f8/0x750 net/netlink/af_netlink.c:2577<br />
genl_rcv+0x40/0x60 net/netlink/genetlink.c:1076<br />
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]<br />
netlink_unicast+0xf41/0x1270 net/netlink/af_netlink.c:1365<br />
netlink_sendmsg+0x127d/0x1430 net/netlink/af_netlink.c:1942<br />
sock_sendmsg_nosec net/socket.c:724 [inline]<br />
sock_sendmsg net/socket.c:747 [inline]<br />
____sys_sendmsg+0xa24/0xe40 net/socket.c:2501<br />
___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555<br />
__sys_sendmsg net/socket.c:2584 [inline]<br />
__do_sys_sendmsg net/socket.c:2593 [inline]<br />
__se_sys_sendmsg net/socket.c:2591 [inline]<br />
__x64_sys_sendmsg+0x36b/0x540 net/socket.c:2591<br />
do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br />
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
<br />
Uninit was stored to memory at:<br />
tun_get_link_ksettings+0x37/0x60 drivers/net/tun.c:3544<br />
__ethtool_get_link_ksettings+0x17b/0x260 net/ethtool/ioctl.c:441<br />
ethnl_set_linkmodes+0xee/0x19d0 net/ethtool/linkmodes.c:327<br />
ethnl_default_set_doit+0x88d/0xde0 net/ethtool/netlink.c:640<br />
genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline]<br />
genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]<br />
genl_rcv_msg+0x141a/0x14c0 net/netlink/genetlink.c:1065<br />
netlink_rcv_skb+0x3f8/0x750 net/netlink/af_netlink.c:2577<br />
genl_rcv+0x40/0x60 net/netlink/genetlink.c:1076<br />
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]<br />
netlink_unicast+0xf41/0x1270 net/netlink/af_netlink.c:1365<br />
netlink_sendmsg+0x127d/0x1430 net/netlink/af_netlink.c:1942<br />
sock_sendmsg_nosec net/socket.c:724 [inline]<br />
sock_sendmsg net/socket.c:747 [inline]<br />
____sys_sendmsg+0xa24/0xe40 net/socket.c:2501<br />
___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555<br />
__sys_sendmsg net/socket.c:2584 [inline]<br />
__do_sys_sendmsg net/socket.c:2593 [inline]<br />
__se_sys_sendmsg net/socket.c:2591 [inline]<br />
__x64_sys_sendmsg+0x36b/0x540 net/socket.c:2591<br />
do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br />
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
<br />
Uninit was stored to memory at:<br />
tun_set_link_ksettings+0x37/0x60 drivers/net/tun.c:3553<br />
ethtool_set_link_ksettings+0x600/0x690 net/ethtool/ioctl.c:609<br />
__dev_ethtool net/ethtool/ioctl.c:3024 [inline]<br />
dev_ethtool+0x1db9/0x2a70 net/ethtool/ioctl.c:3078<br />
dev_ioctl+0xb07/0x1270 net/core/dev_ioctl.c:524<br />
sock_do_ioctl+0x295/0x540 net/socket.c:1213<br />
sock_i<br />
---truncated---
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/6456d80045d6de47734b1a3879c91f72af186529
- https://git.kernel.org/stable/c/72808c4ab5fd01bf1214195005e15b434bf55cef
- https://git.kernel.org/stable/c/942a2a0184f7bb1c1ae4bbc556559c86c054b0d2
- https://git.kernel.org/stable/c/9ad685dbfe7e856bbf17a7177b64676d324d6ed7
- https://git.kernel.org/stable/c/da81af0ef8092ecacd87fac3229c29e2e0ce39fd