Linux Kernel Broadcast Address Information Leak Vulnerability in rtnetlink

A vulnerability has been identified in the Linux kernel's netlink routing subsystem, specifically within the rtnl_fill_vfinfo() function. This issue arises because the function declares a structure for virtual function (VF) broadcast information on the stack without proper initialization. The uninitialized structure can leak up to 26 bytes of sensitive data from the kernel stack to user space, per virtual function, with each RTM_GETLINK request. This vulnerability can be exploited by any unprivileged local process with access to the netlink route interface.

Impact

Exploitation of this vulnerability leads to the unintentional disclosure of sensitive data from the kernel stack to user space, which can include return addresses and other transient information. This stack residue can be flagged by memory sanitization tools, indicating the presence of the leaked data.

Reproduction

To reproduce this vulnerability, an unprivileged local process can open an AF_NETLINK socket with the NETLINK_ROUTE protocol. The process can then send an RTM_GETLINK request with an IFLA_EXT_MASK attribute that includes RTEXT_FILTER_VF. This request will prompt the kernel to walk through each virtual function and emit the IFLA_VF_BROADCAST information, thereby leaking the uninitialized stack data.

Remediation

The vulnerability has been addressed by modifying the rtnl_fill_vfinfo() function to include a memory zeroing step for the vf_broadcast structure before copying the broadcast data from the device. This change ensures that the structure is properly initialized, preventing the leakage of uninitialized stack data.