Home

Description

In the Linux kernel, the following vulnerability has been resolved: ipv6: Add lwtunnel encap size of all siblings in nexthop calculation In function rt6_nlmsg_size(), the length of nexthop is calculated by multipling the nexthop length of fib6_info and the number of siblings. However if the fib6_info has no lwtunnel but the siblings have lwtunnels, the nexthop length is less than it should be, and it will trigger a warning in inet6_rt_notify() as follows: WARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130 ...... Call Trace: <TASK> fib6_add_rt2node+0x685/0xa30 fib6_add+0x96/0x1b0 ip6_route_add+0x50/0xd0 inet6_rtm_newroute+0x97/0xa0 rtnetlink_rcv_msg+0x156/0x3d0 netlink_rcv_skb+0x5a/0x110 netlink_unicast+0x246/0x350 netlink_sendmsg+0x250/0x4c0 sock_sendmsg+0x66/0x70 ___sys_sendmsg+0x7c/0xd0 __sys_sendmsg+0x5d/0xb0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc This bug can be reproduced by script: ip -6 addr add 2002::2/64 dev ens2 ip -6 route add 100::/64 via 2002::1 dev ens2 metric 100 for i in 10 20 30 40 50 60 70; do ip link add link ens2 name ipv_$i type ipvlan ip -6 addr add 2002::$i/64 dev ipv_$i ifconfig ipv_$i up done for i in 10 20 30 40 50 60; do ip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1 dev ipv_$i metric 100 done ip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100 This patch fixes it by adding nexthop_len of every siblings using rt6_nh_nlmsg_size().

PUBLISHED Reserved 2025-10-01 | Published 2025-10-01 | Updated 2025-10-01 | Assigner Linux

Product status

Default status
unaffected

beb1afac518dec5a15dc92ba8f0ca016dcf457b4 before aba298b35619213ca787d08d472049627d8cd012
affected

beb1afac518dec5a15dc92ba8f0ca016dcf457b4 before da26369377f0b671c14692e2d65ceb38131053e1
affected

beb1afac518dec5a15dc92ba8f0ca016dcf457b4 before dcdddb5f490890d058ea1f194d661219e92fe88d
affected

beb1afac518dec5a15dc92ba8f0ca016dcf457b4 before e11e4d524eba2d3c8fdf897d7ce3853f7573bae9
affected

beb1afac518dec5a15dc92ba8f0ca016dcf457b4 before aa75d826c221e8d48607aef33836cf872a159cf1
affected

beb1afac518dec5a15dc92ba8f0ca016dcf457b4 before 4cc59f386991ec9374cb4bc83dbe1c0b5a95033f
affected

Default status
affected

4.11
affected

Any version before 4.11
unaffected

5.4.235
unaffected

5.10.173
unaffected

5.15.100
unaffected

6.1.18
unaffected

6.2.5
unaffected

6.3
unaffected

References

git.kernel.org/...c/aba298b35619213ca787d08d472049627d8cd012

git.kernel.org/...c/da26369377f0b671c14692e2d65ceb38131053e1

git.kernel.org/...c/dcdddb5f490890d058ea1f194d661219e92fe88d

git.kernel.org/...c/e11e4d524eba2d3c8fdf897d7ce3853f7573bae9

git.kernel.org/...c/aa75d826c221e8d48607aef33836cf872a159cf1

git.kernel.org/...c/4cc59f386991ec9374cb4bc83dbe1c0b5a95033f

cve.org (CVE-2023-53477)

nvd.nist.gov (CVE-2023-53477)

Download JSON