Linux Kernel VFIO Information Leak Vulnerability in Migration Capability

A vulnerability in the Linux kernel's VFIO (Virtual Function I/O) subsystem has been identified, specifically within the type1 IOMMU (Input/Output Memory Management Unit) driver. This vulnerability involves an information leak where an uninitialized portion of a data structure, related to migration capabilities, is exposed to userspace. The issue arises because the structure, 'vfio_iommu_type1_info_cap_migration', contains a gap that is not properly initialized before being sent to userspace, potentially allowing for the disclosure of sensitive information.

Impact

Exploitation of this vulnerability could lead to unintended information disclosure, where uninitialized data from the kernel stack is exposed to userspace applications.

Reproduction

The vulnerability can be reproduced by invoking the 'VFIO_IOMMU_GET_INFO' ioctl command, which triggers the migration capability to be reported. The 'vfio_iommu_migration_build_caps' function populates the migration capability structure, but fails to initialize a specific field, creating a hole that is later exposed to userspace.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit that addresses this issue is '13fd667db999bffb557c5de7adb3c14f1713dd51', which is available in the Linux kernel stable tree.