Summary
| CVE | CVE-2015-7884 |
|---|---|
| Author | Salva Peiró |
| Date | October 2015 - Discovery of the vulnerability. |
| Impact | The vulnerability discloses 16 bytes of kernel process stack. |
| Affected Versions | From linux-3.17.0-rc1 to linux-4.3-rc6 |
| Bug Timespan | 1 year: from 2014 to 2015 commit ad4e02d5081d9da38b5b91886e5fa71f0505d607 |
| Patch fix | commit eda98796aff0d9bf41094b06811f5def3b4c333c |
Description
The vivid_fb_ioctl() code fails to initialize the 16 reserved bytes of struct fb_vblank after the ->hcount member. Add an explicit memset(0) before filling the structure to avoid the info leak.
The patch fixing the Infoleak
After verification the patch that fixes the vulnerability has been submitted to the kernel:
[PATCH] media/vivid-osd: fix info leak in ioctl
diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c
index 084d346..e15eef6 100644
--- a/drivers/media/platform/vivid/vivid-osd.c
+++ b/drivers/media/platform/vivid/vivid-osd.c
@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
case FBIOGET_VBLANK: {
struct fb_vblank vblank;
+ memset(&vblank, 0, sizeof(vblank));
vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
FB_VBLANK_HAVE_VSYNC;
vblank.count = 0;