Linux Kernel Comedi Driver Uninitialized Memory Vulnerability in Instruction IOCTLs

A vulnerability in the Linux kernel's Comedi driver has been addressed, concerning the improper handling of uninitialized memory in the 'do_insn_ioctl()' and 'do_insnlist_ioctl()' functions. This issue, reported by syzbot, involves a kernel buffer allocated to store 'insn->n' samples, which are not fully populated by all instruction handlers before being sent to user space. As a result, uninitialized kernel data could be leaked. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to a kernel information leak, where uninitialized memory is exposed to user space, potentially containing sensitive data.

Reproduction

The vulnerability can be reproduced by using the Comedi driver with certain instruction types that do not properly fill the 'insn->n' samples before they are copied to user space. This can be done by sending commands that trigger the 'INSN_READ' or 'INSN_WRITE' instructions on subdevices lacking specific handlers for these instructions, but having an 'INSN_BITS' handler instead. The 'vm80xx' driver is one such example, as it fails to return an error when it does not fill the required buffer.

Remediation

The vulnerability has been fixed by ensuring that uninitialized portions of the allocated buffer are cleared before processing each instruction. Users can apply the latest patches available in the Linux kernel stable tree to address this issue.