Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE-2014-1739: Kernel Infoleak vulnerability in,media_enum_entities()
From: Salva Peiró <speiro () ai2 upv es>
Date: Sun, 15 Jun 2014 07:50:54 +0200

Hi,

We found an infoleak vulnerability in the ioctl media_enum_entities()
that allows to disclose 200 bytes the kernel process' stack.
The vulnerability is exploitable on versions up to linux-3.15-rc3 by
local users with read access to `/dev/media0`.
Linux distributions ship with `chmod 600 /dev/media0` preventing
unprivileged local users from exploiting the vulnerability.
However, some Android devices are known to be shipped with both read
and/or write permissions for all: chmod 666 /dev/media0.

A detailed analysis, proof of concept and fixes are at:
http://speirofr.appspot.com/cve-2014-1739-kernel-infoleak-vulnerability-in-media_enum_entities.html

This has been fixed in Linux Kernel commit:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e6a623460e5fc960ac3ee9f946d3106233fd28d8

e6a623460e5fc960ac3ee9f946d3106233fd28d8
Author  Salva Peiró <speiro () ai2 upv es>
Date    Thu, 1 May 2014 12:53:28 +0000
Commit [media] media-device: fix infoleak in ioctl media_enum_entities()

    This fixes CVE-2014-1739.

    Signed-off-by: Salva Peiró <speiro () ai2 upv es>
    Acked-by: Laurent Pinchart <laurent.pinchart () ideasonboard com>
    Cc: stable () vger kernel org
    Signed-off-by: Mauro Carvalho Chehab <m.chehab () samsung com>

Salva Peiró


  By Date           By Thread  

Current thread:
  • CVE-2014-1739: Kernel Infoleak vulnerability in,media_enum_entities() Salva Peiró (Jun 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault