CVE-2015-7884: Kernel Infoleak vulnerability in vivid_fb_ioctl()

Summary

CVE CVE-2015-7884
Author Salva Peiró
Date October 2015 - Discovery of the vulnerability.
Impact The vulnerability discloses 16 bytes of kernel process stack.
Affected Versions From linux-3.17.0-rc1 to linux-4.3-rc6
Bug Timespan 1 year: from 2014 to 2015 commit ad4e02d5081d9da38b5b91886e5fa71f0505d607
Patch fix commit eda98796aff0d9bf41094b06811f5def3b4c333c

Description

The vivid_fb_ioctl() code fails to initialize the 16 reserved bytes of struct fb_vblank after the ->hcount member. Add an explicit memset(0) before filling the structure to avoid the info leak.

The patch fixing the Infoleak

After verification the patch that fixes the vulnerability has been submitted to the kernel:

[PATCH] media/vivid-osd: fix info leak in ioctl

diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c
index 084d346..e15eef6 100644
--- a/drivers/media/platform/vivid/vivid-osd.c
+++ b/drivers/media/platform/vivid/vivid-osd.c
@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
    case FBIOGET_VBLANK: {
        struct fb_vblank vblank;

+       memset(&vblank, 0, sizeof(vblank));
        vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
            FB_VBLANK_HAVE_VSYNC;
        vblank.count = 0;