In the Linux kernel, the following vulnerability has been resolved: net: mctp: Don't access ifa_index when missing In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but only when the struct ifaddrmsg is provided. Otherwise it will be comparing to uninitialised memory - reproducible in the syzkaller case from dhcpd, or busybox "ip addr show". The kernel MCTP implementation has always filtered by ifa_index, so existing userspace programs expecting to dump MCTP addresses must already be passing a valid ifa_index value (either 0 or a real index). BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824 netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309
A critical vulnerability exists in the Linux kernel's MCTP (Management Component Transport Protocol) implementation, allowing for the potential disclosure of sensitive information due to an uninitialized memory read. This flaw can be triggered by crafted network requests, leading to a system crash or potentially enabling further exploitation. Successful exploitation could lead to denial of service or information leakage.
Step 1: Triggering the Vulnerability: A user-space program, such as dhcpd or busybox 'ip addr show', attempts to dump MCTP address information.
Step 2: Kernel Interaction: The user-space program interacts with the kernel via the netlink interface, requesting MCTP address information.
Step 3: Function Call: The kernel calls mctp_dump_addrinfo to retrieve the MCTP address information.
Step 4: Missing Validation: The mctp_dump_addrinfo function attempts to filter based on ifa_index without checking if the struct ifaddrmsg is present.
Step 5: Uninitialized Memory Access: Because the struct ifaddrmsg is not provided, the code reads from uninitialized memory when comparing ifa_index values.
Step 6: Information Leakage/Crash: The uninitialized memory read can lead to a system crash or potentially leak sensitive kernel memory, depending on the contents of the uninitialized memory.
The vulnerability stems from a flaw in the mctp_dump_addrinfo function within the Linux kernel's MCTP implementation. Specifically, the code attempts to filter network interfaces based on ifa_index without proper validation. When the struct ifaddrmsg is not provided, the code accesses uninitialized memory, leading to a KMSAN (Kernel Memory Sanitizer) detected uninit-value error. This occurs because the code attempts to compare ifa_index to a value that hasn't been initialized, potentially leading to unpredictable behavior. The root cause is a missing check for the presence of the struct ifaddrmsg before accessing the ifa_index field. This can be triggered by tools like dhcpd or busybox 'ip addr show' when dumping MCTP addresses. The vulnerability does not appear to be a buffer overflow or race condition directly, but rather an uninitialized memory read leading to information disclosure or a crash.