| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122220-CVE-2025-68335-6742@gregkh> Date: Mon, 22 Dec 2025 17:14:27 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-68335: comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from the fact that in case of early device detach via pcl818_detach(), subdevice dev->read_subdev may not have initialized its pointer to &struct comedi_async as intended. Thus, any such dereferencing of &s->async->cmd will lead to general protection fault and kernel crash. Mitigate this problem by removing a call to pcl818_ai_cancel() from pcl818_detach() altogether. This way, if the subdevice setups its support for async commands, everything async-related will be handled via subdevice's own ->cancel() function in comedi_device_detach_locked() even before pcl818_detach(). If no support for asynchronous commands is provided, there is no need to cancel anything either. [1] Syzbot crash: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762 ... Call Trace: <TASK> pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115 comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207 do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline] comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] ... The Linux kernel CVE team has assigned CVE-2025-68335 to this issue. Affected and fixed versions =========================== Issue introduced in 3.15 with commit 00aba6e7b5653a6607238ecdab7172318059d984 and fixed in 6.12.62 with commit 5caa40e7c6a43e08e3574f990865127705c22861 Issue introduced in 3.15 with commit 00aba6e7b5653a6607238ecdab7172318059d984 and fixed in 6.17.12 with commit d948c53dec36dafe182631457597c49c1f1df5ea Issue introduced in 3.15 with commit 00aba6e7b5653a6607238ecdab7172318059d984 and fixed in 6.18.1 with commit 877adccfacb32687b90714a27cfb09f444fdfa16 Issue introduced in 3.15 with commit 00aba6e7b5653a6607238ecdab7172318059d984 and fixed in 6.19-rc1 with commit a51f025b5038abd3d22eed2ede4cd46793d89565 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-68335 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/comedi/drivers/pcl818.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/5caa40e7c6a43e08e3574f990865127705c22861 https://git.kernel.org/stable/c/d948c53dec36dafe182631457597c49c1f1df5ea https://git.kernel.org/stable/c/877adccfacb32687b90714a27cfb09f444fdfa16 https://git.kernel.org/stable/c/a51f025b5038abd3d22eed2ede4cd46793d89565
Powered by blists - more mailing lists