CVE-2023-50431: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-50431 is a security vulnerability discovered in the Linux kernel through version 6.6.5, specifically affecting the Habana's AI Processors driver. The vulnerability exists in the sec_attest_info function within drivers/accel/habanalabs/common/habanalabs_ioctl.c, where an information leak to user space occurs due to an uninitialized info->pad0 field (NVD, Ubuntu Security).

The vulnerability stems from a missing initialization in the habanalabs driver's sec_attest_info function. When copying data structures to user space, the pad0 field of struct hl_info_sec_attest remains uninitialized, potentially exposing sensitive kernel heap data. The issue has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access requirements and high confidentiality impact (NVD).

The vulnerability allows a local attacker to potentially expose sensitive information from kernel memory. The impact is limited to information disclosure without affecting system integrity or availability (Ubuntu Security).

The vulnerability has been fixed by using kzalloc() instead of kmalloc() to allocate and zero out the buffer, which prevents the information leak and eliminates other potential uninitialized holes. The fix has been implemented in various Linux distributions, including Ubuntu 23.10 (version 6.5.0-27.28) and other affected versions (Kernel Commit).