Linux Kernel QRTR Uninitialized Variable Access Vulnerability in Transmission Resumption

A vulnerability allowing uninitialized variable access has been identified in the Linux kernel's QRTR (Qualcomm Remote Procedure Call) implementation. This issue arises in the 'qrtr_tx_resume' function within the 'af_qrtr' file. The vulnerability is triggered when the 'qrtr_cb->type' is set to 'QRTR_TYPE_RESUME_TX' during the 'qrtr_endpoint_post' process, leading to the uninitialized variable being accessed. The problem was reported by Syzbot.

Impact

Exploitation of this vulnerability could lead to undefined behavior due to the access of uninitialized variables, which may cause memory corruption or other unintended consequences.

Reproduction

The vulnerability can be reproduced by sending a QRTR control packet with a size smaller than the expected minimum, while setting the 'qrtr_cb->type' to 'QRTR_TYPE_RESUME_TX'. This can be done through a simulated environment that mimics QRTR endpoint behavior, such as using Syzkaller, a fuzzing tool that discovered this vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.