Linux Kernel VMCI Uninitialized Payload Dispatch Vulnerability

A vulnerability in the Linux kernel's VMCI (Virtual Machine Communication Interface) component allows for the dispatch of uninitialized payloads, leading to a potential leak of kernel data to user space. This issue arises when the 'init_context' function fails, leaving the 'vmci_event_ctx' structure partially initialized. As a result, when 'vmci_datagram_dispatch' is called to send events to all VM contexts, the datagram payload does not conform to the expected size, causing uninitialized data to be sent to user space. The vulnerability can be reproduced by executing the host's 'unlocked_ioctl' call in two separate tasks, simulating a context initialization failure.

Impact

The vulnerability causes a data leak from the kernel to user space, exposing uninitialized kernel data.

Reproduction

To reproduce this vulnerability, initiate a VMCI context and deliberately cause the 'init_context' function to fail. This can be done by manipulating the context initialization process to ensure it does not complete successfully. Once the context is in a failed state, execute the 'unlocked_ioctl' call in two different tasks. The first task will trigger the VMCI datagram dispatch, while the second task will attempt to read the datagram from the context's queue. Because the payload is not properly initialized, this will result in an unintentional leak of kernel data to user space.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.