Linux Kernel Comedi DT2815 Driver Crash Vulnerability

A vulnerability in the Linux kernel's Comedi DT2815 driver can lead to a crash when the driver is attached to I/O ports without actual hardware. This issue arises because the driver can be connected to arbitrary I/O addresses via the COMEDI_DEVCONFIG ioctl. When no hardware is present at the specified port, input operations return 0xff (indicating a floating bus), while output operations can cause page faults due to undefined behavior, particularly under race conditions. The vulnerability has been addressed by adding hardware detection to the driver, ensuring it only attempts to communicate with I/O ports that have actual hardware present.

Impact

Exploitation of this vulnerability causes the driver to crash, disrupting any processes or applications that rely on it.

Reproduction

To reproduce this vulnerability, attach the Comedi DT2815 driver to an I/O port that does not have hardware present. This can be done by using the COMEDI_DEVCONFIG ioctl to specify an arbitrary I/O address. Once the driver is attached, it will attempt to read from the status register. The absence of hardware will be indicated by a floating bus read of 0xff. However, the driver will still try to write to the I/O port, which can trigger a page fault and cause a crash.

Remediation

The vulnerability has been fixed in the Linux kernel by adding a check for hardware presence before attempting any I/O operations. Users should update to the latest version of the Linux kernel where this fix has been applied.