Hi, We found an infoleak vulnerability in the ioctl media_enum_entities() that allows to disclose 200 bytes the kernel process' stack. The vulnerability is exploitable on versions up to linux-3.15-rc3 by local users with read access to `/dev/media0`. Linux distributions ship with `chmod 600 /dev/media0` preventing unprivileged local users from exploiting the vulnerability. However, some Android devices are known to be shipped with both read and/or write permissions for all: chmod 666 /dev/media0. A detailed analysis, proof of concept and fixes are at: http://speirofr.appspot.com/cve-2014-1739-kernel-infoleak-vulnerability-in-media_enum_entities.html This has been fixed in Linux Kernel commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e6a623460e5fc960ac3ee9f946d3106233fd28d8 ----------------------------- -rw-r--r-- drivers/media/media-device.c 1 1 files changed, 1 insertions, 0 deletions diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c index d5a7a13..703560f 100644 --- a/drivers/media/media-device.c +++ b/drivers/media/media-device.c @@ -93,6 +93,7 @@ static long media_device_enum_entities(struct media_device *mdev, struct media_entity *ent; struct media_entity_desc u_ent; + memset(&u_ent, 0, sizeof(u_ent)); if (copy_from_user(&u_ent.id, &uent->id, sizeof(u_ent.id))) return -EFAULT; ---------------------------- e6a623460e5fc960ac3ee9f946d3106233fd28d8 Author Salva Peir <speiro () ai2 upv es> Date Thu, 1 May 2014 12:53:28 +0000 Commit [media] media-device: fix infoleak in ioctl media_enum_entities() This fixes CVE-2014-1739. Signed-off-by: Salva Peir <speiro () ai2 upv es> Acked-by: Laurent Pinchart <laurent.pinchart () ideasonboard com> Cc: stable () vger kernel org Signed-off-by: Mauro Carvalho Chehab <m.chehab () samsung com>