lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <tencent_E396D637CE4A26757F761367A83C5D366809@qq.com>
Date: Sun, 21 Sep 2025 20:20:35 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+a56aa983ce6a1bf12485@...kaller.appspotmail.com
Cc: dakr@...nel.org,
	gregkh@...uxfoundation.org,
	linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	rafael@...nel.org,
	syzkaller-bugs@...glegroups.com
Subject: [PATCH] comedi: Unregister is prohibited when attach fails before register

The reproducer executed the COMEDI_DEVCONFIG command twice against the
c6xdigio driver, first for device comedi3 and then for comedi1. Because
the c6xdigio driver only supports a single port, the COMEDI_DEVCONFIG
command for device comedi1 failed, and the registered driver was released
by executing a detach.

Subsequently, another process attempted the same attach, resulting in a
UAF error when accessing the released drv->p during detach.

When the c6xdigio driver fails to attach, it sets driver to NULL to prevent
the comedi device from calling the detach command of the underlying c6xdigio
driver.

syzbot reported:
CPU: 1 UID: 0 PID: 6035 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
BUG: KASAN: slab-use-after-free in sysfs_remove_file_ns+0x63/0x70 fs/sysfs/file.c:522
Call Trace:
 driver_remove_file+0x4a/0x60 drivers/base/driver.c:197
 bus_remove_driver+0x224/0x2c0 drivers/base/bus.c:743
 driver_unregister+0x76/0xb0 drivers/base/driver.c:277
 comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207
 comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215
 comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011

Allocated by task 6034:
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 bus_add_driver+0x92/0x690 drivers/base/bus.c:662
 driver_register+0x15c/0x4b0 drivers/base/driver.c:249
 c6xdigio_attach drivers/comedi/drivers/c6xdigio.c:253 [inline]

Freed by task 6034:
 kobject_put+0x1e7/0x5a0 lib/kobject.c:737
 bus_remove_driver+0x16e/0x2c0 drivers/base/bus.c:749
 driver_unregister+0x76/0xb0 drivers/base/driver.c:277
 comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207
 comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215
 comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011

Fixes: 2c89e159cd2f ("Staging: comedi: add c6xdigio driver")
Reported-by: syzbot+a56aa983ce6a1bf12485@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a56aa983ce6a1bf12485
Tested-by: syzbot+a56aa983ce6a1bf12485@...kaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@...com>
---
 drivers/comedi/drivers/c6xdigio.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/comedi/drivers/c6xdigio.c b/drivers/comedi/drivers/c6xdigio.c
index 14b90d1c64dc..023c72e589a7 100644
--- a/drivers/comedi/drivers/c6xdigio.c
+++ b/drivers/comedi/drivers/c6xdigio.c
@@ -242,8 +242,10 @@ static int c6xdigio_attach(struct comedi_device *dev,
 	int ret;
 
 	ret = comedi_request_region(dev, it->options[0], 0x03);
-	if (ret)
+	if (ret) {
+		dev->driver = NULL;
 		return ret;
+	}
 
 	ret = comedi_alloc_subdevices(dev, 2);
 	if (ret)
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ