Описание
In the Linux kernel, the following vulnerability has been resolved:
Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
Struct ff_effect_compat is embedded twice inside
uinput_ff_upload_compat, contains internal padding. In particular, there
is a hole after struct ff_replay to satisfy alignment requirements for
the following union member. Without clearing the structure,
copy_to_user() may leak stack data to userspace.
Initialize ff_up_compat to zero before filling valid fields.
An information disclosure flaw was found in the Linux kernel's uinput driver in the force feedback upload handling for 32-bit compatibility mode. A local user can trigger this issue by performing force feedback upload operations through the uinput device, where uninitialized padding bytes in the uinput_ff_upload_compat structure are copied to userspace. This leaks kernel stack memory contents to unprivileged users.
Отчет
The uinput driver provides a userspace interface for creating virtual input devices with force feedback support. When handling FF_UPLOAD requests in 32-bit compatibility mode, the driver constructs a uinput_ff_upload_compat structure on the stack. This structure embeds ff_effect_compat twice, which contains internal padding bytes for alignment (notably after struct ff_replay before a union member). The code populates the valid fields but leaves padding uninitialized. When copy_to_user() transfers the entire structure, these padding bytes expose whatever stack data happened to occupy that memory. While the leaked data is limited in size and content is unpredictable, it could potentially reveal kernel pointers or other sensitive information useful for defeating KASLR or further exploitation.
Меры по смягчению последствий
To mitigate this issue, prevent the uinput module from being loaded if virtual input devices are not required. See https://access.redhat.com/solutions/41278 for instructions on blacklisting kernel modules.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 6 | kernel | Out of support scope | ||
| Red Hat Enterprise Linux 7 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Fix deferred | ||
| Red Hat Enterprise Linux 8 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Fix deferred | ||
| Red Hat Enterprise Linux 9 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Fix deferred |
Показывать по
Дополнительная информация
Статус:
3.3 Low
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Struct ff_effect_compat is embedded twice inside uinput_ff_upload_compat, contains internal padding. In particular, there is a hole after struct ff_replay to satisfy alignment requirements for the following union member. Without clearing the structure, copy_to_user() may leak stack data to userspace. Initialize ff_up_compat to zero before filling valid fields.
In the Linux kernel, the following vulnerability has been resolved: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Struct ff_effect_compat is embedded twice inside uinput_ff_upload_compat, contains internal padding. In particular, there is a hole after struct ff_replay to satisfy alignment requirements for the following union member. Without clearing the structure, copy_to_user() may leak stack data to userspace. Initialize ff_up_compat to zero before filling valid fields.
Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
In the Linux kernel, the following vulnerability has been resolved: I ...
In the Linux kernel, the following vulnerability has been resolved: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Struct ff_effect_compat is embedded twice inside uinput_ff_upload_compat, contains internal padding. In particular, there is a hole after struct ff_replay to satisfy alignment requirements for the following union member. Without clearing the structure, copy_to_user() may leak stack data to userspace. Initialize ff_up_compat to zero before filling valid fields.
3.3 Low
CVSS3