| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025121613-CVE-2025-68258-9a76@gregkh> Date: Tue, 16 Dec 2025 15:45:15 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-68258: comedi: multiq3: sanitize config options in multiq3_attach() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: comedi: multiq3: sanitize config options in multiq3_attach() Syzbot identified an issue [1] in multiq3_attach() that induces a task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, specifically, in the case of multiq3 driver. This problem arose when syzkaller managed to craft weird configuration options used to specify the number of channels in encoder subdevice. If a particularly great number is passed to s->n_chan in multiq3_attach() via it->options[2], then multiple calls to multiq3_encoder_reset() at the end of driver-specific attach() method will be running for minutes, thus blocking tasks and affected devices as well. While this issue is most likely not too dangerous for real-life devices, it still makes sense to sanitize configuration inputs. Enable a sensible limit on the number of encoder chips (4 chips max, each with 2 channels) to stop this behaviour from manifesting. [1] Syzbot crash: INFO: task syz.2.19:6067 blocked for more than 143 seconds. ... Call Trace: <TASK> context_switch kernel/sched/core.c:5254 [inline] __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862 __schedule_loop kernel/sched/core.c:6944 [inline] schedule+0x165/0x360 kernel/sched/core.c:6959 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016 __mutex_lock_common kernel/locking/mutex.c:676 [inline] __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760 comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868 chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414 do_dentry_open+0x953/0x13f0 fs/open.c:965 vfs_open+0x3b/0x340 fs/open.c:1097 ... The Linux kernel CVE team has assigned CVE-2025-68258 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.30 with commit 77e01cdbad5175f56027fd6fae00bd0fc175651a and fixed in 6.12.62 with commit 8952bc1973cd54158c35e06bfb8c29ace7375a48 Issue introduced in 2.6.30 with commit 77e01cdbad5175f56027fd6fae00bd0fc175651a and fixed in 6.17.12 with commit 8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3 Issue introduced in 2.6.30 with commit 77e01cdbad5175f56027fd6fae00bd0fc175651a and fixed in 6.18.1 with commit 543f4c380c2e1f35e60528df7cb54705cda7fee3 Issue introduced in 2.6.30 with commit 77e01cdbad5175f56027fd6fae00bd0fc175651a and fixed in 6.19-rc1 with commit f24c6e3a39fa355dabfb684c9ca82db579534e72 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-68258 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/comedi/drivers/multiq3.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/8952bc1973cd54158c35e06bfb8c29ace7375a48 https://git.kernel.org/stable/c/8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3 https://git.kernel.org/stable/c/543f4c380c2e1f35e60528df7cb54705cda7fee3 https://git.kernel.org/stable/c/f24c6e3a39fa355dabfb684c9ca82db579534e72
Powered by blists - more mailing lists