Format string modifiers in card label in umlaeute/v4l2loopback
Jul 28th 2022
When adding a new video device with
v4l2loopback-ctl that contains a card label with format string modifiers the kernel driver interprets these when querying the device capabilities, thus leaking kernel memory (stack contents).
The vulnerability requires the attacker to have access to the
/dev/v4l2loopback, which is owned by
chmod 600 by default. This attack can still be used successfully against kernels in lock down mode.
Proof of Concept
v4l2loopback-ctl add -n "%p-%p-%p" cat /sys/devices/virtual/video4linux/video2/name
Depending on the way the format strings in the card label are crafted it's possible to leak kernel stack memory. There is also the possibility for DoS due to the
v4l2loopback kernel module crashing when providing the card label on request (reproduce e.g. with many
%s modifiers in a row).