Missing Initialization of Resource Affecting perf package, versions *


Severity

Recommended
0.0
medium
0
10

Based on CentOS security rating.

Threat Intelligence

EPSS
0.18% (8th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS6-PERF-17657425
  • published27 Jun 2026
  • disclosed24 Jun 2026

Introduced: 24 Jun 2026

NewCVE-2026-52995  (opens in a new tab)
CWE-909  (opens in a new tab)

How to fix?

There is no fixed version for Centos:6 perf.

NVD Description

Note: Versions mentioned in the description apply only to the upstream perf package and not the perf package as distributed by Centos. See How to fix? for Centos:6 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

net/rds: zero per-item info buffer before handing it to visitors

rds_for_each_conn_info() and rds_walk_conn_path_info() both hand a caller-allocated on-stack u64 buffer to a per-connection visitor and then copy the full item_len bytes back to user space via rds_info_copy() regardless of how much of the buffer the visitor actually wrote.

rds_ib_conn_info_visitor() and rds6_ib_conn_info_visitor() only write a subset of their output struct when the underlying rds_connection is not in state RDS_CONN_UP (src/dst addr, tos, sl and the two GIDs via explicit memsets). Several u32 fields (max_send_wr, max_recv_wr, max_send_sge, rdma_mr_max, rdma_mr_size, cache_allocs) and the 2-byte alignment hole between sl and cache_allocs remain as whatever stack contents preceded the visitor call and are then memcpy_to_user()'d out to user space.

struct rds_info_rdma_connection and struct rds6_info_rdma_connection are the only rds_info_* structs in include/uapi/linux/rds.h that are not marked attribute((packed)), so they have a real alignment hole. The other info visitors (rds_conn_info_visitor, rds6_conn_info_visitor, rds_tcp_tc_info, ...) write all fields of their packed output struct today and are not known to be vulnerable, but a future visitor that adds a conditional write-path would have the same bug.

Reproduction on a kernel built without CONFIG_INIT_STACK_ALL_ZERO=y: a local unprivileged user opens AF_RDS, sets SO_RDS_TRANSPORT=IB, binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on any netdev is sufficient), sendto()'s any peer on the same subnet (fails cleanly but installs an rds_connection in the global hash in RDS_CONN_CONNECTING), then calls getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS). The returned 68-byte item contains 26 bytes of stack garbage including kernel text/data pointers:

0..7   0a 63 00 01 0a 63 00 02     src=10.99.0.1 dst=10.99.0.2
8..39  00 ...                      gids (memset-zeroed)
40..47 e0 92 a3 81 ff ff ff ff     kernel pointer (max_send_wr)
48..55 7f 37 b5 81 ff ff ff ff     kernel pointer (rdma_mr_max)
56..59 01 00 08 00                 rdma_mr_size (garbage)
60..61 00 00                       tos, sl
62..63 00 00                       alignment padding
64..67 18 00 00 00                 cache_allocs (garbage)

Fix by zeroing the per-item buffer in both rds_for_each_conn_info() and rds_walk_conn_path_info() before invoking the visitor. This covers the IPv4/IPv6 IB visitors and hardens all current and future visitors against the same class of bug.

No functional change for visitors that fully populate their output.

Changes in v2:

  • retarget at the net tree (subject prefix "[PATCH net v2]", net/rds: prefix in the title)
  • pick up Reviewed-by tags from Sharath Srinivasan and Allison Henderson

CVSS Base Scores

version 3.1