lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2025072008-stubbly-imbecile-0d61@gregkh>
Date: Sun, 20 Jul 2025 10:35:56 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Prabhakar Pujeri <prabhakar.pujeri@...il.com>
Cc: abbotti@....co.uk, hsweeten@...ionengravers.com,
	linux-kernel@...r.kernel.org,
	Super User <root@...alhost.localdomain>,
	syzbot+ab8008c24e84adee93ff@...kaller.appspotmail.com
Subject: Re: [PATCH] [PATCH] comedi: check for NULL get_valid_routes function
 pointer

On Sun, Jul 20, 2025 at 02:33:50AM -0500, Prabhakar Pujeri wrote:
> From: Super User <root@...alhost.localdomain>

I don't think you have your git setup properly :(

And look at the subject line, two "[PATCH]"?

> The function get_valid_routes() calls the low-level driver's
> dev->get_valid_routes() callback directly without checking if it is
> set. If this function pointer is NULL, the kernel crashes with a
> NULL instruction pointer dereference.
> 
> This patch adds a check to ensure the callback is present before
> calling it, and returns -EINVAL if it is missing.
> 
> This prevents a kernel crash when user space invokes an ioctl that
> results in get_valid_routes() being called on drivers that do not
> implement the callback.
> 
> Reported-by: syzbot+ab8008c24e84adee93ff@...kaller.appspotmail.com

Was this tested?  If so, please provide that information.

> Signed-off-by: Prabhakar Pujeri <prabhakar.pujeri@...il.com>
> ---
>  drivers/comedi/comedi_fops.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
> index 3383a7ce27ff..2b8cb280287b 100644
> --- a/drivers/comedi/comedi_fops.c
> +++ b/drivers/comedi/comedi_fops.c
> @@ -1302,6 +1302,11 @@ static int check_insn_device_config_length(struct comedi_insn *insn,
>  static int get_valid_routes(struct comedi_device *dev, unsigned int *data)
>  {
>  	lockdep_assert_held(&dev->mutex);
> +	if (!dev->get_valid_routes) {
> +		dev_warn(dev->class_dev ?: dev->hw_dev,
> +				"get_valid_routes() not implemented\n");

Why are you allowing userspace to flood the kernel log?  If this is
something that userspace can trigger, it needs to be handled much
better.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ