Linux Kernel Comedi Multiq3 Driver Task Timeout Vulnerability in Encoder Channel Configuration

A vulnerability in the Linux kernel's Comedi multiq3 driver has been identified, which can lead to a task timeout. This issue occurs in the multiq3_attach() function when the number of channels for the encoder subdevice is set to an excessively high value. Such a configuration, crafted by the Syzkaller tool, causes multiple calls to the multiq3_encoder_reset() function to run for an extended period, blocking tasks and affecting the devices. Although this vulnerability may not pose a significant risk to real-world devices, it highlights the need for proper input validation. The vulnerability affects the Linux kernel stable tree, specifically in the Comedi subsystem's multiq3 driver.

Impact

Exploitation of this vulnerability causes a task timeout, with tasks being blocked for over 143 seconds. This delay can disrupt normal operations and potentially lead to degraded performance or unresponsiveness in applications relying on the affected devices.

Reproduction

The vulnerability can be reproduced by loading the Comedi multiq3 driver and crafting a configuration that specifies an excessive number of encoder channels. This can be done by using the COMEDI_DEVCONFIG ioctl operation to pass a large value into the encoder channel option. Once the driver is attached with this configuration, the multiq3_encoder_reset() function will be called multiple times, causing a task timeout by blocking the execution for several minutes.

Remediation

The vulnerability has been addressed by adding a configuration option limit in the multiq3_attach() function. The updated code restricts the number of encoder chips to a maximum of four, with each chip having two channels. Users should ensure they are using a version of the Linux kernel that includes this patch.