ghsa-mrpw-6g2q-pgjw
Vulnerability from github
Published
2025-10-01 12:30
Modified
2025-10-01 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6: Add lwtunnel encap size of all siblings in nexthop calculation

In function rt6_nlmsg_size(), the length of nexthop is calculated by multipling the nexthop length of fib6_info and the number of siblings. However if the fib6_info has no lwtunnel but the siblings have lwtunnels, the nexthop length is less than it should be, and it will trigger a warning in inet6_rt_notify() as follows:

WARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130 ...... Call Trace: fib6_add_rt2node+0x685/0xa30 fib6_add+0x96/0x1b0 ip6_route_add+0x50/0xd0 inet6_rtm_newroute+0x97/0xa0 rtnetlink_rcv_msg+0x156/0x3d0 netlink_rcv_skb+0x5a/0x110 netlink_unicast+0x246/0x350 netlink_sendmsg+0x250/0x4c0 sock_sendmsg+0x66/0x70 syssendmsg+0x7c/0xd0 sys_sendmsg+0x5d/0xb0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc

This bug can be reproduced by script:

ip -6 addr add 2002::2/64 dev ens2 ip -6 route add 100::/64 via 2002::1 dev ens2 metric 100

for i in 10 20 30 40 50 60 70; do ip link add link ens2 name ipv_$i type ipvlan ip -6 addr add 2002::$i/64 dev ipv_$i ifconfig ipv_$i up done

for i in 10 20 30 40 50 60; do ip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1 dev ipv_$i metric 100 done

ip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100

This patch fixes it by adding nexthop_len of every siblings using rt6_nh_nlmsg_size().

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53477"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T12:15:50Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Add lwtunnel encap size of all siblings in nexthop calculation\n\nIn function rt6_nlmsg_size(), the length of nexthop is calculated\nby multipling the nexthop length of fib6_info and the number of\nsiblings. However if the fib6_info has no lwtunnel but the siblings\nhave lwtunnels, the nexthop length is less than it should be, and\nit will trigger a warning in inet6_rt_notify() as follows:\n\nWARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130\n......\nCall Trace:\n \u003cTASK\u003e\n fib6_add_rt2node+0x685/0xa30\n fib6_add+0x96/0x1b0\n ip6_route_add+0x50/0xd0\n inet6_rtm_newroute+0x97/0xa0\n rtnetlink_rcv_msg+0x156/0x3d0\n netlink_rcv_skb+0x5a/0x110\n netlink_unicast+0x246/0x350\n netlink_sendmsg+0x250/0x4c0\n sock_sendmsg+0x66/0x70\n ___sys_sendmsg+0x7c/0xd0\n __sys_sendmsg+0x5d/0xb0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nThis bug can be reproduced by script:\n\nip -6 addr add 2002::2/64 dev ens2\nip -6 route add 100::/64 via 2002::1 dev ens2 metric 100\n\nfor i in 10 20 30 40 50 60 70;\ndo\n\tip link add link ens2 name ipv_$i type ipvlan\n\tip -6 addr add 2002::$i/64 dev ipv_$i\n\tifconfig ipv_$i up\ndone\n\nfor i in 10 20 30 40 50 60;\ndo\n\tip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1\ndev ipv_$i metric 100\ndone\n\nip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100\n\nThis patch fixes it by adding nexthop_len of every siblings using\nrt6_nh_nlmsg_size().",
  "id": "GHSA-mrpw-6g2q-pgjw",
  "modified": "2025-10-01T12:30:30Z",
  "published": "2025-10-01T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53477"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4cc59f386991ec9374cb4bc83dbe1c0b5a95033f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aa75d826c221e8d48607aef33836cf872a159cf1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aba298b35619213ca787d08d472049627d8cd012"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da26369377f0b671c14692e2d65ceb38131053e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dcdddb5f490890d058ea1f194d661219e92fe88d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e11e4d524eba2d3c8fdf897d7ce3853f7573bae9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.