Summary
| CVE | CVE-2015-7885 |
|---|---|
| Author | Salva Peiró |
| Date | October 2015 - Discovery of the vulnerability. |
| Impact | The vulnerability discloses 16 bytes of kernel process stack. |
| Affected Versions | From linux-3.11.0-rc3 to linux-4.3-rc6 |
| Bug Timespan | 2 years: from 2013 to 2015 commit 0b99d58902dd82fa51216eb8e0d6ddd8c43e90e4 |
| Patch fix | commit 4b6184336ebb5c8dc1eae7f7ab46ee608a748b05 |
Description
The dgnc_mgmt_ioctl() code fails to initialize the 16 reserved bytes of struct digi_dinfo after the ->dinfo_nboards member. Add an explicit memset(0) before filling the structure to avoid the info leak.
The patch fixing the Infoleak
After verification the patch that fixes the vulnerability has been submitted to the kernel:
[PATCH] staging/dgnc: fix info leak in ioctl
diff --git a/drivers/staging/dgnc/dgnc_mgmt.c b/drivers/staging/dgnc/dgnc_mgmt.c
index b13318a..883e2a8 100644
--- a/drivers/staging/dgnc/dgnc_mgmt.c
+++ b/drivers/staging/dgnc/dgnc_mgmt.c
@@ -115,6 +115,7 @@ long dgnc_mgmt_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
spin_lock_irqsave(&dgnc_global_lock, flags);
+ memset(&ddi, 0, sizeof(ddi));
ddi.dinfo_nboards = dgnc_NumBoards;
sprintf(ddi.dinfo_version, "%s", DG_PART);