Linux Kernel Information Leak Vulnerability in TTY Virtual Console

An information leak vulnerability has been identified in the Linux kernel's TTY (teletypewriter) subsystem, specifically within the virtual console (vcs) read operation. This vulnerability arises because the Unicode screen buffer is not properly initialized before being read, allowing potentially sensitive information to be leaked. The issue was reported by zybot and has been addressed by initializing the buffer with a zeroed allocation. The vulnerability can be reproduced by resizing the framebuffer and then reading from the virtual console, which exposes uninitialized data.

Impact

Exploitation of this vulnerability leads to an information leak, where uninitialized data can be read from the virtual console, potentially exposing sensitive information.

Reproduction

The vulnerability can be reproduced by opening the framebuffer device, resizing the screen information, and then reading from the virtual console device. This sequence of actions takes advantage of the uninitialized buffer, causing an information leak.