CVE-2023-53798

In the Linux kernel, the following vulnerability has been resolved:

ethtool: Fix uninitialized number of lanes

It is not possible to set the number of lanes when setting link modes using the legacy IOCTL ethtool interface. Since 'struct ethtoollinkksettings' is not initialized in this path, drivers receive an uninitialized number of lanes in 'struct ethtoollinkksettings::lanes'.

When this information is later queried from drivers, it results in the ethtool code making decisions based on uninitialized memory, leading to the following KMSAN splat [1]. In practice, this most likely only happens with the tun driver that simply returns whatever it got in the set operation.

As far as I can tell, this uninitialized memory is not leaked to user space thanks to the 'ethtoolops->caplinklanessupported' check in linkmodespreparedata().

Fix by initializing the structure in the IOCTL path. Did not find any more call sites that pass an uninitialized structure when calling 'ethtoolops::setlink_ksettings()'.

[1] BUG: KMSAN: uninit-value in ethnlupdatelinkmodes net/ethtool/linkmodes.c:273 [inline] BUG: KMSAN: uninit-value in ethnlsetlinkmodes+0x190b/0x19d0 net/ethtool/linkmodes.c:333 ethnlupdatelinkmodes net/ethtool/linkmodes.c:273 [inline] ethnlsetlinkmodes+0x190b/0x19d0 net/ethtool/linkmodes.c:333 ethnldefaultsetdoit+0x88d/0xde0 net/ethtool/netlink.c:640 genlfamilyrcvmsgdoit net/netlink/genetlink.c:968 [inline] genlfamilyrcvmsg net/netlink/genetlink.c:1048 [inline] genlrcvmsg+0x141a/0x14c0 net/netlink/genetlink.c:1065 netlinkrcvskb+0x3f8/0x750 net/netlink/afnetlink.c:2577 genlrcv+0x40/0x60 net/netlink/genetlink.c:1076 netlinkunicastkernel net/netlink/afnetlink.c:1339 [inline] netlinkunicast+0xf41/0x1270 net/netlink/afnetlink.c:1365 netlinksendmsg+0x127d/0x1430 net/netlink/afnetlink.c:1942 socksendmsgnosec net/socket.c:724 [inline] socksendmsg net/socket.c:747 [inline] _syssendmsg+0xa24/0xe40 net/socket.c:2501 syssendmsg+0x2a1/0x3f0 net/socket.c:2555 _syssendmsg net/socket.c:2584 [inline] _dosyssendmsg net/socket.c:2593 [inline] _sesyssendmsg net/socket.c:2591 [inline] _x64syssendmsg+0x36b/0x540 net/socket.c:2591 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x63/0xcd

Uninit was stored to memory at: tungetlinkksettings+0x37/0x60 drivers/net/tun.c:3544 ethtoolgetlinkksettings+0x17b/0x260 net/ethtool/ioctl.c:441 ethnlsetlinkmodes+0xee/0x19d0 net/ethtool/linkmodes.c:327 ethnldefaultsetdoit+0x88d/0xde0 net/ethtool/netlink.c:640 genlfamilyrcvmsgdoit net/netlink/genetlink.c:968 [inline] genlfamilyrcvmsg net/netlink/genetlink.c:1048 [inline] genlrcvmsg+0x141a/0x14c0 net/netlink/genetlink.c:1065 netlinkrcvskb+0x3f8/0x750 net/netlink/afnetlink.c:2577 genlrcv+0x40/0x60 net/netlink/genetlink.c:1076 netlinkunicastkernel net/netlink/afnetlink.c:1339 [inline] netlinkunicast+0xf41/0x1270 net/netlink/afnetlink.c:1365 netlinksendmsg+0x127d/0x1430 net/netlink/afnetlink.c:1942 socksendmsgnosec net/socket.c:724 [inline] socksendmsg net/socket.c:747 [inline] syssendmsg+0xa24/0xe40 net/socket.c:2501 _syssendmsg+0x2a1/0x3f0 net/socket.c:2555 _syssendmsg net/socket.c:2584 [inline] _dosyssendmsg net/socket.c:2593 [inline] _sesyssendmsg net/socket.c:2591 [inline] _x64syssendmsg+0x36b/0x540 net/socket.c:2591 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x63/0xcd

Uninit was stored to memory at: tunsetlinkksettings+0x37/0x60 drivers/net/tun.c:3553 ethtoolsetlinkksettings+0x600/0x690 net/ethtool/ioctl.c:609 _devethtool net/ethtool/ioctl.c:3024 [inline] devethtool+0x1db9/0x2a70 net/ethtool/ioctl.c:3078 devioctl+0xb07/0x1270 net/core/devioctl.c:524 sockdoioctl+0x295/0x540 net/socket.c:1213 socki ---truncated---