Linux Kernel Comedi Subsystem Instruction Emulation Vulnerability

A vulnerability exists in the Linux kernel's Comedi subsystem, specifically within the instruction emulation function 'insn_rw_emulate_bits()'. This function is intended to handle 'INSN_READ' and 'INSN_WRITE' instructions for subdevices that support 'INSN_BITS' but lack dedicated handlers for read or write operations. The vulnerability arises because 'INSN_READ' and 'INSN_WRITE' can process multiple samples, as indicated by the 'insn->n' value, but the current implementation only accommodates a single sample. This limitation can lead to kernel information leak errors when 'insn->n' exceeds 1. The issue has been addressed by modifying the function to properly handle multiple samples or return an error, ensuring compliance with the expected behavior for read and write handlers.

Impact

Exploitation of this vulnerability could cause a kernel information leak, where sensitive data is unintentionally exposed to user space.

Reproduction

The vulnerability can be reproduced by invoking the 'insn_rw_emulate_bits()' function with 'INSN_READ' or 'INSN_WRITE' instructions that require the handling of multiple samples. This can be done by specifying a value greater than 1 for 'insn->n', which will trigger the kernel information leak error.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.