Linux Kernel Comedi Subsystem Buffer Allocation Vulnerability in IOCTL Handling

A vulnerability in the Linux kernel's handling of the COMEDI_INSNLIST ioctl has been addressed. The issue arose because the ioctl processing allocated a kernel buffer based on the n_insns value provided by the user, which could be excessively large. This mismanagement led to allocation failures, accompanied by warnings and stack dumps. The vulnerability has been resolved by introducing a validation step that returns an -EINVAL error for unreasonable n_insns values, thereby preventing the allocation issue. The maximum allowable n_insns value has been set to 65536, aligning with the maximum samples permitted in Comedi instructions.

Impact

Exploitation of this vulnerability could lead to improper buffer allocation, causing allocation failures and potentially allowing for a stack overflow, as indicated by the warning and stack dump generated when the n_insns value is too large.