Linux Kernel Comedi Subdevice Digital I/O Uninitialized Data Vulnerability

A vulnerability in the Linux kernel's Comedi driver allows for the use of uninitialized data in the 'insn_rw_emulate_bits()' function. This issue arises on 'digital' subdevices that lack specific 'insn_read' and 'insn_write' handlers', but do have an 'insn_bits' handler. The vulnerability occurs because the 'insn_rw_emulate_bits()' function assumes that the 'data[0]' value is a valid copy from user memory. When the 'insn->n' value is 0, 'data[0]' may contain uninitialized or invalid data, leading to incorrect values being written to digital output channels. This flaw can also affect the internal saved state of the channel.

Impact

Exploitation of this vulnerability can result in incorrect data being written to digital input/output channels, potentially disrupting the internal state of the affected channels.

Reproduction

The vulnerability can be reproduced by configuring a Comedi subdevice of type 'digital' without 'insn_read' or 'insn_write' handlers', but with an 'insn_bits' handler. When 'INSN_WRITE' instructions are processed, the 'insn_rw_emulate_bits()' function will incorrectly handle the 'data[0]' value if 'insn->n' is 0, leading to the use of uninitialized data.

Remediation

The vulnerability has been addressed by modifying the 'insn_rw_emulate_bits()' function to return 0 early if 'insn->n' is 0, preventing access to 'data[0]' before the value is validated.