Description

When adding a new video device with v4l2loopback-ctl that contains a card label with format string modifiers the kernel driver interprets these when querying the device capabilities, thus leaking kernel memory (stack contents).

The vulnerability requires the attacker to have access to the /dev/v4l2loopback, which is owned by root:root with chmod 600 by default. This attack can still be used successfully against kernels in lock down mode.

Proof of Concept

v4l2loopback-ctl add -n "%p-%p-%p"
cat /sys/devices/virtual/video4linux/video2/name 

Output (example):

/dev/video2
00000000de899e9f-00000000f6d35a 

Expected:

/dev/video2
%p-%p-%p

Impact

Depending on the way the format strings in the card label are crafted it's possible to leak kernel stack memory. There is also the possibility for DoS due to the v4l2loopback kernel module crashing when providing the card label on request (reproduce e.g. with many %s modifiers in a row).