CVE-2023-53863

In the Linux kernel, the following vulnerability has been resolved:

netlink: do not hard code device address lenth in fdb dumps

syzbot reports that some netdev devices do not have a six bytes address [1]

Replace ETHALEN by dev->addrlen.

[1] (Case of a device where dev->addr_len = 4)

BUG: KMSAN: kernel-infoleak in instrumentcopytouser include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/ioviter.c:169 instrumentcopytouser include/linux/instrumented.h:114 [inline] copyout+0xb8/0x100 lib/ioviter.c:169 copytoiter+0x6d8/0x1d00 lib/ioviter.c:536 copytoiter include/linux/uio.h:206 [inline] simplecopyto_iter+0x68/0xa0 net/core/datagram.c:513 __skbdatagramiter+0x123/0xdc0 net/core/datagram.c:419 skbcopydatagramiter+0x5c/0x200 net/core/datagram.c:527 skbcopydatagrammsg include/linux/skbuff.h:3960 [inline] netlinkrecvmsg+0x4ae/0x15a0 net/netlink/afnetlink.c:1970 sockrecvmsgnosec net/socket.c:1019 [inline] sock_recvmsg net/socket.c:1040 [inline] ____sys_recvmsg+0x283/0x7f0 net/socket.c:2722 ___sysrecvmsg+0x223/0x840 net/socket.c:2764 dorecvmmsg+0x4f9/0xfd0 net/socket.c:2858 __sys_recvmmsg net/socket.c:2937 [inline] __dosysrecvmmsg net/socket.c:2960 [inline] __sesysrecvmmsg net/socket.c:2953 [inline] __x64sysrecvmmsg+0x397/0x490 net/socket.c:2953 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

Uninit was stored to memory at: __nlaput lib/nlattr.c:1009 [inline] nlaput+0x1c6/0x230 lib/nlattr.c:1067 nlmsgpopulatefdbfill+0x2b8/0x600 net/core/rtnetlink.c:4071 nlmsgpopulatefdb net/core/rtnetlink.c:4418 [inline] ndodfltfdbdump+0x616/0x840 net/core/rtnetlink.c:4456 rtnlfdbdump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629 netlinkdump+0x9d1/0x1310 net/netlink/afnetlink.c:2268 netlinkrecvmsg+0xc5c/0x15a0 net/netlink/afnetlink.c:1995 sockrecvmsgnosec+0x7a/0x120 net/socket.c:1019 ____sys_recvmsg+0x664/0x7f0 net/socket.c:2720 ___sysrecvmsg+0x223/0x840 net/socket.c:2764 dorecvmmsg+0x4f9/0xfd0 net/socket.c:2858 __sys_recvmmsg net/socket.c:2937 [inline] __dosysrecvmmsg net/socket.c:2960 [inline] __sesysrecvmmsg net/socket.c:2953 [inline] __x64sysrecvmmsg+0x397/0x490 net/socket.c:2953 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

Uninit was created at: slabpostallochook+0x12d/0xb60 mm/slab.h:716 slaballoc_node mm/slub.c:3451 [inline] __kmemcacheallocnode+0x4ff/0x8b0 mm/slub.c:3490 kmalloctrace+0x51/0x200 mm/slab_common.c:1057 kmalloc include/linux/slab.h:559 [inline] __hwaddrcreate net/core/devaddrlists.c:60 [inline] __hwaddradd_ex+0x2e5/0x9e0 net/core/devaddrlists.c:118 __devmcadd net/core/devaddrlists.c:867 [inline] devmcadd+0x9a/0x130 net/core/devaddrlists.c:885 igmp6groupadded+0x267/0xbc0 net/ipv6/mcast.c:680 ipv6mcup+0x296/0x3b0 net/ipv6/mcast.c:2754 ipv6mcremap+0x1e/0x30 net/ipv6/mcast.c:2708 addrconftypechange net/ipv6/addrconf.c:3731 [inline] addrconfnotify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699 notifiercallchain kernel/notifier.c:93 [inline] rawnotifiercallchain+0xe4/0x430 kernel/notifier.c:461 callnetdevicenotifiersinfo net/core/dev.c:1935 [inline] callnetdevicenotifiersextack net/core/dev.c:1973 [inline] callnetdevicenotifiers+0x1ee/0x2d0 net/core/dev.c:1987 bondenslave+0xccd/0x53f0 drivers/net/bonding/bondmain.c:1906 dosetmaster net/core/rtnetlink.c:2626 [inline] rtnlnewlinkcreate net/core/rtnetlink.c:3460 [inline] _rtnlnewlink net/core/rtnetlink.c:3660 [inline] rtnlnewlink+0x378c/0x40e0 net/core/rtnetlink.c:3673 rtnetlinkrcvmsg+0x16a6/0x1840 net/core/rtnetlink.c:6395 netlinkrcvskb+0x371/0x650 net/netlink/afnetlink.c:2546 rtnetlinkrcv+0x34/0x40 net/core/rtnetlink.c:6413 netlinkunicastkernel net/netlink/afnetlink.c:1339 [inline] netlinkunicast+0xf28/0x1230 net/netlink/af ---truncated---