CVE-2023-54265

In the Linux kernel, the following vulnerability has been resolved:

ipv6: Fix an uninit variable access bug in __ip6makeskb()

Syzbot reported a bug as following:

===================================================== BUG: KMSAN: uninit-value in archatomic64inc arch/x86/include/asm/atomic6464.h:88 [inline] BUG: KMSAN: uninit-value in archatomiclonginc include/linux/atomic/atomic-long.h:161 [inline] BUG: KMSAN: uninit-value in atomiclonginc include/linux/atomic/atomic-instrumented.h:1429 [inline] BUG: KMSAN: uninit-value in __ip6makeskb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 archatomic64inc arch/x86/include/asm/atomic6464.h:88 [inline] archatomiclonginc include/linux/atomic/atomic-long.h:161 [inline] atomiclonginc include/linux/atomic/atomic-instrumented.h:1429 [inline] __ip6makeskb+0x2f37/0x30f0 net/ipv6/ip6output.c:1956 ip6finishskb include/net/ipv6.h:1122 [inline] ip6pushpendingframes+0x10e/0x550 net/ipv6/ip6output.c:1987 rawv6pushpendingframes+0xb12/0xb90 net/ipv6/raw.c:579 rawv6sendmsg+0x297e/0x2e60 net/ipv6/raw.c:922 inetsendmsg+0x101/0x180 net/ipv4/afinet.c:827 socksendmsgnosec net/socket.c:714 [inline] socksendmsg net/socket.c:734 [inline] ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 __sys_sendmsg net/socket.c:2559 [inline] __dosyssendmsg net/socket.c:2568 [inline] __sesyssendmsg net/socket.c:2566 [inline] __x64syssendmsg+0x367/0x540 net/socket.c:2566 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

Uninit was created at: slabpostallochook mm/slab.h:766 [inline] slaballoc_node mm/slub.c:3452 [inline] __kmemcachealloc_node+0x71f/0xce0 mm/slub.c:3491 __dokmallocnode mm/slab_common.c:967 [inline] __kmallocnodetrackcaller+0x114/0x3b0 mm/slabcommon.c:988 kmalloc_reserve net/core/skbuff.c:492 [inline] __allocskb+0x3af/0x8f0 net/core/skbuff.c:565 allocskb include/linux/skbuff.h:1270 [inline] __ip6appenddata+0x51c1/0x6bb0 net/ipv6/ip6output.c:1684 ip6appenddata+0x411/0x580 net/ipv6/ip6output.c:1854 rawv6sendmsg+0x2882/0x2e60 net/ipv6/raw.c:915 inetsendmsg+0x101/0x180 net/ipv4/afinet.c:827 socksendmsgnosec net/socket.c:714 [inline] socksendmsg net/socket.c:734 [inline] ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 __sys_sendmsg net/socket.c:2559 [inline] __dosyssendmsg net/socket.c:2568 [inline] __sesyssendmsg net/socket.c:2566 [inline] __x64syssendmsg+0x367/0x540 net/socket.c:2566 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

It is because icmp6hdr does not in skb linear region under the scenario of SOCKRAW socket. Access icmp6hdr(skb)->icmp6_type directly will trigger the uninit variable access bug.

Use a local variable icmp6_type to carry the correct value in different scenarios.