Linux Kernel Comedi Driver IOCTL Compatibility Vulnerability in i386 Kernels

A vulnerability exists in the Linux kernel's Comedi driver, specifically in the compatibility layer for IOCTL (Input/Output Control) operations on i386 kernels. The issue arises because certain modified IOCTL handlers do not perform necessary checks on whether a device is properly attached before executing commands. This oversight can lead to kernel crashes, as reported by Syzbot, due to null pointer dereferences when non-existent callback functions are called on unconfigured devices. The problem is exacerbated in the compatibility versions of standard IOCTL handlers, which fail to use the appropriate unlocked IOCTL functions that include the required sanity checks. As a result, it is possible to invoke select IOCTLs on devices that have not been correctly set up, potentially skipping crucial initialization steps. The vulnerability has been addressed by adding checks to ensure that devices are properly attached before any IOCTL operations are performed, thereby aligning the logic between modern and compatibility functions.

Impact

Exploiting this vulnerability can cause a kernel crash by dereferencing a null pointer, leading to a system instability.

Reproduction

The vulnerability can be reproduced by invoking certain IOCTL commands on a Comedi device that has not been properly configured. This can be done through the compatibility IOCTL handlers in a 32-bit i386 kernel, which lack the necessary checks for the device's attachment status. The missing checks can be exploited by sending IOCTL requests that trigger the uninitialized callback, causing a null pointer dereference and crashing the kernel.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.