Linux Kernel TIPC Information Leak Vulnerability in topsrv_kern_subscr Function

An information leak vulnerability has been identified in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem. The issue arises in the topsrv_kern_subscr function, where an 8-byte write is needed to properly initialize a user handle variable. Failure to do so leaves four bytes uninitialized, leading to an information leak when the packet is received. This vulnerability was detected by KMSAN (Kernel Memory Sanitizer) and occurs during the handling of socket options related to TIPC.

Impact

Exploitation of this vulnerability causes an uninitialized memory read, which can lead to the disclosure of sensitive information.

Reproduction

The vulnerability can be reproduced by calling the tipc_topsrv_kern_subscr function with the appropriate parameters. The function will process the subscription and, due to the improper handling of the usr_handle variable, an uninitialized memory region will be accessed. This can be observed by monitoring the received packets, which will contain leaked information from the kernel memory.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.