lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <a79f5854-a28a-4793-8ff6-8886f8292191@mev.co.uk>
Date: Sun, 20 Jul 2025 09:40:18 +0100
From: Ian Abbott <abbotti@....co.uk>
To: Prabhakar Pujeri <prabhakar.pujeri@...il.com>,
 hsweeten@...ionengravers.com
Cc: gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org,
 syzbot+ab8008c24e84adee93ff@...kaller.appspotmail.com
Subject: Re: [PATCH] [PATCH] comedi: check for NULL get_valid_routes function
 pointer

On 20/07/2025 08:33, Prabhakar Pujeri wrote:
> From: Super User <root@...alhost.localdomain>

I don't know why you added a "From:" line, but its details are bogus.

> The function get_valid_routes() calls the low-level driver's
> dev->get_valid_routes() callback directly without checking if it is
> set. If this function pointer is NULL, the kernel crashes with a
> NULL instruction pointer dereference.
> 
> This patch adds a check to ensure the callback is present before
> calling it, and returns -EINVAL if it is missing.
> 
> This prevents a kernel crash when user space invokes an ioctl that
> results in get_valid_routes() being called on drivers that do not
> implement the callback.

That's a reasonable guess, but the callback shouldn't be missing.  If 
the low-level driver does not set it, then the 
__comedi_device_postconfig(dev) call in "drivers.c" will set it to the 
address of the get_zero_valid_routes function.

> 
> Reported-by: syzbot+ab8008c24e84adee93ff@...kaller.appspotmail.com
> Signed-off-by: Prabhakar Pujeri <prabhakar.pujeri@...il.com>
> ---
>   drivers/comedi/comedi_fops.c | 5 +++++
>   1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
> index 3383a7ce27ff..2b8cb280287b 100644
> --- a/drivers/comedi/comedi_fops.c
> +++ b/drivers/comedi/comedi_fops.c
> @@ -1302,6 +1302,11 @@ static int check_insn_device_config_length(struct comedi_insn *insn,
>   static int get_valid_routes(struct comedi_device *dev, unsigned int *data)
>   {
>   	lockdep_assert_held(&dev->mutex);
> +	if (!dev->get_valid_routes) {
> +		dev_warn(dev->class_dev ?: dev->hw_dev,
> +				"get_valid_routes() not implemented\n");
> +		return -EINVAL;
> +	}
>   	data[1] = dev->get_valid_routes(dev, data[1], data + 2);
>   	return 0;
>   }


-- 
-=( Ian Abbott <abbotti@....co.uk> || MEV Ltd. is a company  )=-
-=( registered in England & Wales.  Regd. number: 02862268.  )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ