net/rds: zero per-item info buffer before handing it to visitors

Summary

CVE	CVE-2026-52995
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-24 17:17:10 UTC
Updated	2026-06-24 17:17:10 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: net/rds: zero per-item info buffer before handing it to visitors rds_for_each_conn_info() and rds_walk_conn_path_info() both hand a caller-allocated on-stack u64 buffer to a per-connection visitor and then copy the full item_len bytes back to user space via rds_info_copy() regardless of how much of the buffer the visitor actually wrote. rds_ib_conn_info_visitor() and rds6_ib_conn_info_visitor() only write a subset of their output struct when the underlying rds_connection is not in state RDS_CONN_UP (src/dst addr, tos, sl and the two GIDs via explicit memsets). Several u32 fields (max_send_wr, max_recv_wr, max_send_sge, rdma_mr_max, rdma_mr_size, cache_allocs) and the 2-byte alignment hole between sl and cache_allocs remain as whatever stack contents preceded the visitor call and are then memcpy_to_user()'d out to user space. struct rds_info_rdma_connection and struct rds6_info_rdma_connection are the only rds_info_* structs in include/uapi/linux/rds.h that are not marked __attribute__((packed)), so they have a real alignment hole. The other info visitors (rds_conn_info_visitor, rds6_conn_info_visitor, rds_tcp_tc_info, ...) write all fields of their packed output struct today and are not known to be vulnerable, but a future visitor that adds a conditional write-path would have the same bug. Reproduction on a kernel built without CONFIG_INIT_STACK_ALL_ZERO=y: a local unprivileged user opens AF_RDS, sets SO_RDS_TRANSPORT=IB, binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on any netdev is sufficient), sendto()'s any peer on the same subnet (fails cleanly but installs an rds_connection in the global hash in RDS_CONN_CONNECTING), then calls getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS). The returned 68-byte item contains 26 bytes of stack garbage including kernel text/data pointers: 0..7 0a 63 00 01 0a 63 00 02 src=10.99.0.1 dst=10.99.0.2 8..39 00 ... gids (memset-zeroed) 40..47 e0 92 a3 81 ff ff ff ff kernel pointer (max_send_wr) 48..55 7f 37 b5 81 ff ff ff ff kernel pointer (rdma_mr_max) 56..59 01 00 08 00 rdma_mr_size (garbage) 60..61 00 00 tos, sl 62..63 00 00 alignment padding 64..67 18 00 00 00 cache_allocs (garbage) Fix by zeroing the per-item buffer in both rds_for_each_conn_info() and rds_walk_conn_path_info() before invoking the visitor. This covers the IPv4/IPv6 IB visitors and hardens all current and future visitors against the same class of bug. No functional change for visitors that fully populate their output. Changes in v2: - retarget at the net tree (subject prefix "[PATCH net v2]", net/rds: prefix in the title) - pick up Reviewed-by tags from Sharath Srinivasan and Allison Henderson

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected ec16227e14141e4fd7ae76354c09dadfe2449d9e 81651e9d7dea1c048d2952f57632a042931d7b43 git	Not specified
CNA	Linux	Linux	affected ec16227e14141e4fd7ae76354c09dadfe2449d9e 0797b2e6901827694aa9c34c4c72118c8c97fba1 git	Not specified
CNA	Linux	Linux	affected ec16227e14141e4fd7ae76354c09dadfe2449d9e 5e67cc262afb384e835c3327e9d954eeaedc6a87 git	Not specified
CNA	Linux	Linux	affected ec16227e14141e4fd7ae76354c09dadfe2449d9e b6ba93a7b71ed443c9843eb12d27ed86f1e52694 git	Not specified
CNA	Linux	Linux	affected ec16227e14141e4fd7ae76354c09dadfe2449d9e c7cb9eed8215a790f052f49cdccf577720d2bb62 git	Not specified
CNA	Linux	Linux	affected ec16227e14141e4fd7ae76354c09dadfe2449d9e 91ce1bb6e4194dc2321748f68145359dcf86e350 git	Not specified
CNA	Linux	Linux	affected ec16227e14141e4fd7ae76354c09dadfe2449d9e 912ba2e5704fdb8bc5decda96dfc1a57838f0099 git	Not specified
CNA	Linux	Linux	affected ec16227e14141e4fd7ae76354c09dadfe2449d9e c88eb7e8d8397a8c1db59c425332c5a30b2a1682 git	Not specified
CNA	Linux	Linux	affected 2.6.30	Not specified
CNA	Linux	Linux	unaffected 2.6.30 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.258 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.209 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.175 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.141 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.91 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.33 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.10 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/c88eb7e8d8397a8c1db59c425332c5a30b2a1682	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/b6ba93a7b71ed443c9843eb12d27ed86f1e52694	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/0797b2e6901827694aa9c34c4c72118c8c97fba1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/91ce1bb6e4194dc2321748f68145359dcf86e350	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/912ba2e5704fdb8bc5decda96dfc1a57838f0099	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/c7cb9eed8215a790f052f49cdccf577720d2bb62	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/81651e9d7dea1c048d2952f57632a042931d7b43	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/5e67cc262afb384e835c3327e9d954eeaedc6a87	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.