Linux Kernel Netfilter NFLOG Message Handling Vulnerability

A vulnerability in the Linux kernel's netfilter component has been addressed. When multiple NFLOG messages are batched, the message terminator is appended without properly initializing the payload, leading to a leak of four bytes of uninitialized kernel heap data to userspace. This issue arises because the helper function used to add the message only clears alignment padding after the payload, leaving the payload itself uninitialized. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability could be exploited to leak sensitive information from the kernel to userspace, potentially including confidential data or memory addresses that could be used in further attacks.

Reproduction

The vulnerability can be reproduced by batching multiple NFLOG messages, which triggers the uninitialized payload issue in the message terminator. This can be done by creating a scenario where the NFLOG queue length is greater than one, causing the __nfulnl_send() function to append an NLMSG_DONE terminator without properly initializing the nfgenmsg payload.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.