Linux Kernel vsock/Virtio Non-Linear Buffer Payload Initialization Vulnerability

A vulnerability exists in the Linux kernel's virtio transport for vsock, specifically in how it handles non-linear socket buffers (skbs). When non-linear skbs are processed, the function responsible for building the skb for the vsock monitor tap device fails to correctly initialize the iteration state needed to copy the payload. This oversight leaves the copied data uninitialized, potentially leading to undefined behavior. The issue arises because the iteration state is initialized to zero, resulting in no data being transferred to the monitor interface. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can cause data to be uninitialized when non-linear socket buffers are processed, leading to potential undefined behavior in applications that rely on the vsock monitor interface.

Reproduction

To reproduce this vulnerability, create a scenario where non-linear socket buffers are used with the virtio transport for vsock. This can be done by sending data that exceeds the linear buffer limit, causing the skb to become non-linear. Once the non-linear skb is processed by the virtio_transport_build_skb() function, the vulnerability can be observed as no payload is copied to the vsock monitor tap device, leaving the data uninitialized.

Remediation

The vulnerability has been addressed by modifying the skb handling to correctly manage both linear and non-linear cases. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.