Linux Kernel Uninitialized Memory Leak Vulnerability in act_connmark

A vulnerability in the Linux kernel's connmark action handling has been addressed. The issue arose because a variable in the 'tcf_connmark_dump()' function was only partially initialized, leaving certain padding bytes uninitialized. When the 'nla_put()' function transferred the structure to a netlink message, these uninitialized bytes were inadvertently exposed to userspace. The vulnerability has been fixed by ensuring the structure is fully initialized before being copied, preventing any leakage of uninitialized data.

Impact

The vulnerability could lead to unintended information disclosure, allowing uninitialized memory contents to be exposed to userspace.

Reproduction

The vulnerability can be reproduced by using the connmark action in the Linux traffic control (tc) subsystem. When the 'tcf_connmark_dump()' function is called, the uninitialized bytes in the 'tc_connmark' structure are leaked to userspace via a netlink message. This can be observed by monitoring the netlink messages sent to userspace and checking for the presence of uninitialized data.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit addressing this issue is available in the Linux kernel stable tree.