DF-0388
Kernel heap info leak via uninitialized rt_msghdr.rtm_inits in NET_RT_DUMP sysctl: no M_ZERO on buffer
Summary
rttable_walkarg_create(:1676) kmalloc(w_bufsz,M_TEMP,M_WAITOK|M_NULLOK) WITHOUT M_ZERO. rt_msg_buffer(:1127-1130) only sets rtm_version/type/msglen. rttable_walk_entry(:1795-1801) sets flags/use/rmx/index/errno/pid/seq/addrs but NEVER sets rtm_inits (u_long ~8 bytes at offset ~32). 2 bytes struct padding between rtm_index(u_short offset 4) and rtm_flags(int offset 8) also unwritten. Buffer passed to SYSCTL_OUT(:1855) verbatim. sysctl NET_RT_DUMP is CTLFLAG_RD no priv check(:1884 only blocks writes). Any unpriv local user collects stale M_TEMP heap bytes (~10/route entry) useful for KASLR bypass.