Vigil@nce - Linux kernel: memory reading via VIDEO_SET_SPU_PALETTE
April 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the VIDEO_SET_SPU_PALETTE ioctl, in order
to read a fragment of kernel memory.
Impacted products: Linux
Severity: 1/4
Creation date: 08/04/2013
DESCRIPTION OF THE VULNERABILITY
The SPU (Sub Picture Unit) palette is used by DVB (Digital Video
Broadcasting) devices.
The VIDEO_SET_SPU_PALETTE ioctl is used to define this palette.
The do_video_set_spu_palette() function of the fs/compat_ioctl.c
file implements this ioctl. However, if memory addresses indicated
by the user are invalid, this function does not detect the error,
and returns a fragment of its memory (two uninitialized variables:
palp and length) to user.
A local attacker can therefore use the VIDEO_SET_SPU_PALETTE
ioctl, in order to read a fragment of kernel memory.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-reading-via-VIDEO-SET-SPU-PALETTE-12611