Linux Kernel RIVA Framebuffer Driver Divide-By-Zero Vulnerability in NV3 Arbitration Code

A divide-by-zero vulnerability has been identified in the Linux kernel's RIVA framebuffer driver. This issue arises in the NV3 arbitration code when the FBIOPUT_VSCREENINFO ioctl is called on /dev/fb*. The driver fails to validate the PRAMDAC MCLK PLL-derived clock frequency before using it as a divisor, allowing an attacker to craft a device that exposes a bogus PLL configuration. This manipulation can lead to a division by zero, causing a kernel crash. The vulnerability has been addressed by adding a check to ensure the clock frequency is non-zero before performing the division.

Impact

Exploitation of this vulnerability leads to a kernel crash due to a divide-by-zero error, causing a denial of service by interrupting the normal operation of the system.

Reproduction

To reproduce this vulnerability, a userspace program can be used to call the FBIOPUT_VSCREENINFO ioctl on a virtual framebuffer device. This can be done by creating a crafted or misconfigured PCI device that emulates a bogus PLL configuration, resulting in a zero value for the state->mclk_khz parameter. Once this parameter is manipulated, the RIVA NV3 arbitration code will be triggered, leading to a divide-by-zero error and crashing the kernel.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.