CVE-2015-7885: Kernel Infoleak vulnerability in dgnc_mgmt_ioctl()


CVE CVE-2015-7885
Author Salva Peiró
Date October 2015 - Discovery of the vulnerability.
Impact The vulnerability discloses 16 bytes of kernel process stack.
Affected Versions From linux-3.11.0-rc3 to linux-4.3-rc6
Bug Timespan 2 years: from 2013 to 2015 commit 0b99d58902dd82fa51216eb8e0d6ddd8c43e90e4
Patch fix commit 4b6184336ebb5c8dc1eae7f7ab46ee608a748b05


The dgnc_mgmt_ioctl() code fails to initialize the 16 reserved bytes of struct digi_dinfo after the ->dinfo_nboards member. Add an explicit memset(0) before filling the structure to avoid the info leak.

The patch fixing the Infoleak

After verification the patch that fixes the vulnerability has been submitted to the kernel:

[PATCH] staging/dgnc: fix info leak in ioctl

diff --git a/drivers/staging/dgnc/dgnc_mgmt.c b/drivers/staging/dgnc/dgnc_mgmt.c
index b13318a..883e2a8 100644
--- a/drivers/staging/dgnc/dgnc_mgmt.c
+++ b/drivers/staging/dgnc/dgnc_mgmt.c
@@ -115,6 +115,7 @@ long dgnc_mgmt_ioctl(struct file *file, unsigned int cmd, unsigned long arg)

        spin_lock_irqsave(&dgnc_global_lock, flags);

+       memset(&ddi, 0, sizeof(ddi));
        ddi.dinfo_nboards = dgnc_NumBoards;
        sprintf(ddi.dinfo_version, "%s", DG_PART);