References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

In the Linux kernel, the following vulnerability has been resolved:

xfrm: clear trailing padding in build_polexpire()

build_expire() clears the trailing padding bytes of struct
xfrm_user_expire after setting the hard field via memset_after(),
but the analogous function build_polexpire() does not do this for
struct xfrm_user_polexpire.

The padding bytes after the __u8 hard field are left
uninitialized from the heap allocation, and are then sent to
userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,
leaking kernel heap memory contents.

Add the missing memset_after() call, matching build_expire().

https://git.kernel.org/stable/c/71a98248c63c535eaa4d4c22f099b68d902006d0

https://git.kernel.org/stable/c/ac6985903db047eaff54db929e4bf6b06782788e

https://git.kernel.org/stable/c/b1dfd6b27df35ef4f87825aa5f607378d23ff0f2

https://git.kernel.org/stable/c/c221ed63a2769a0af8bd849dfe25740048f34ef4

https://git.kernel.org/stable/c/e1af65c669ebb1666c54576614c01a7f9ffcfff6

https://git.kernel.org/stable/c/eda30846ea54f8ed218468e5480c8305ca645e37