Linux Kernel Comedi Driver Divide-By-Zero Vulnerability in Buffer Munging Function

A divide-by-zero vulnerability has been identified in the Linux kernel's Comedi driver, specifically within the 'comedi_buf_munge()' function. This issue arises because the function performs a modulo operation on 'async->munge_chan' using 'async->cmd.chanlist_len' without verifying if 'chanlist_len' is zero. If a user program sends a command with 'chanlist_len' set to zero, it triggers a divide-by-zero error while the device is processing data in the interrupt handler, potentially leading to a kernel panic. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can cause a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, a user program must be crafted to send a command with 'chanlist_len' set to zero to a Comedi device. When the 'comedi_buf_munge()' function processes this command, the missing check for zero 'chanlist_len' will cause a divide-by-zero error in the interrupt handler, leading to a kernel panic.

Remediation

The vulnerability has been addressed by adding a check for zero 'chanlist_len' at the beginning of the 'comedi_buf_munge()' function. Users should update to the latest version of the Linux kernel where this fix has been applied.