-

CVE-2026-52995

net/rds: zero per-item info buffer before handing it to visitors

In the Linux kernel, the following vulnerability has been resolved:

net/rds: zero per-item info buffer before handing it to visitors

rds_for_each_conn_info() and rds_walk_conn_path_info() both hand a
caller-allocated on-stack u64 buffer to a per-connection visitor and
then copy the full item_len bytes back to user space via
rds_info_copy() regardless of how much of the buffer the visitor
actually wrote.

rds_ib_conn_info_visitor() and rds6_ib_conn_info_visitor() only
write a subset of their output struct when the underlying
rds_connection is not in state RDS_CONN_UP (src/dst addr, tos, sl
and the two GIDs via explicit memsets). Several u32 fields
(max_send_wr, max_recv_wr, max_send_sge, rdma_mr_max, rdma_mr_size,
cache_allocs) and the 2-byte alignment hole between sl and
cache_allocs remain as whatever stack contents preceded the visitor
call and are then memcpy_to_user()'d out to user space.

struct rds_info_rdma_connection and struct rds6_info_rdma_connection
are the only rds_info_* structs in include/uapi/linux/rds.h that are
not marked __attribute__((packed)), so they have a real alignment
hole. The other info visitors (rds_conn_info_visitor,
rds6_conn_info_visitor, rds_tcp_tc_info, ...) write all fields of
their packed output struct today and are not known to be vulnerable,
but a future visitor that adds a conditional write-path would have
the same bug.

Reproduction on a kernel built without CONFIG_INIT_STACK_ALL_ZERO=y:
a local unprivileged user opens AF_RDS, sets SO_RDS_TRANSPORT=IB,
binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on
any netdev is sufficient), sendto()'s any peer on the same subnet
(fails cleanly but installs an rds_connection in the global hash in
RDS_CONN_CONNECTING), then calls getsockopt(SOL_RDS,
RDS_INFO_IB_CONNECTIONS). The returned 68-byte item contains 26
bytes of stack garbage including kernel text/data pointers:

    0..7   0a 63 00 01 0a 63 00 02     src=10.99.0.1 dst=10.99.0.2
    8..39  00 ...                      gids (memset-zeroed)
    40..47 e0 92 a3 81 ff ff ff ff     kernel pointer (max_send_wr)
    48..55 7f 37 b5 81 ff ff ff ff     kernel pointer (rdma_mr_max)
    56..59 01 00 08 00                 rdma_mr_size (garbage)
    60..61 00 00                       tos, sl
    62..63 00 00                       alignment padding
    64..67 18 00 00 00                 cache_allocs (garbage)

Fix by zeroing the per-item buffer in both rds_for_each_conn_info()
and rds_walk_conn_path_info() before invoking the visitor. This
covers the IPv4/IPv6 IB visitors and hardens all current and future
visitors against the same class of bug.

No functional change for visitors that fully populate their output.

Changes in v2:
- retarget at the net tree (subject prefix "[PATCH net v2]",
  net/rds: prefix in the title)
- pick up Reviewed-by tags from Sharath Srinivasan and
  Allison Henderson
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version ec16227e14141e4fd7ae76354c09dadfe2449d9e
Version < 81651e9d7dea1c048d2952f57632a042931d7b43
Status affected
Version ec16227e14141e4fd7ae76354c09dadfe2449d9e
Version < 0797b2e6901827694aa9c34c4c72118c8c97fba1
Status affected
Version ec16227e14141e4fd7ae76354c09dadfe2449d9e
Version < 5e67cc262afb384e835c3327e9d954eeaedc6a87
Status affected
Version ec16227e14141e4fd7ae76354c09dadfe2449d9e
Version < b6ba93a7b71ed443c9843eb12d27ed86f1e52694
Status affected
Version ec16227e14141e4fd7ae76354c09dadfe2449d9e
Version < c7cb9eed8215a790f052f49cdccf577720d2bb62
Status affected
Version ec16227e14141e4fd7ae76354c09dadfe2449d9e
Version < 91ce1bb6e4194dc2321748f68145359dcf86e350
Status affected
Version ec16227e14141e4fd7ae76354c09dadfe2449d9e
Version < 912ba2e5704fdb8bc5decda96dfc1a57838f0099
Status affected
Version ec16227e14141e4fd7ae76354c09dadfe2449d9e
Version < c88eb7e8d8397a8c1db59c425332c5a30b2a1682
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 2.6.30
Status affected
Version 0
Version < 2.6.30
Status unaffected
Version <= 5.10.*
Version 5.10.258
Status unaffected
Version <= 5.15.*
Version 5.15.209
Status unaffected
Version <= 6.1.*
Version 6.1.175
Status unaffected
Version <= 6.6.*
Version 6.6.141
Status unaffected
Version <= 6.12.*
Version 6.12.91
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.18% 0.074
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/81651e9d7dea1c048d2952f57632a042931d7b43
https://git.kernel.org/stable/c/0797b2e6901827694aa9c34c4c72118c8c97fba1
https://git.kernel.org/stable/c/5e67cc262afb384e835c3327e9d954eeaedc6a87
https://git.kernel.org/stable/c/b6ba93a7b71ed443c9843eb12d27ed86f1e52694
https://git.kernel.org/stable/c/c7cb9eed8215a790f052f49cdccf577720d2bb62
https://git.kernel.org/stable/c/91ce1bb6e4194dc2321748f68145359dcf86e350
https://git.kernel.org/stable/c/912ba2e5704fdb8bc5decda96dfc1a57838f0099
https://git.kernel.org/stable/c/c88eb7e8d8397a8c1db59c425332c5a30b2a1682