lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <87frc62xyg.fsf@gmail.com>
Date: Sun, 28 Sep 2025 13:08:48 -0600
From: Abhinav Saxena <xandfury@...il.com>
To: Ian Abbott <abbotti@....co.uk>
Cc: Edward Adam Davis <eadavis@...com>,
 syzbot+f1bb7e4ea47ea12b535c@...kaller.appspotmail.com,
 hsweeten@...ionengravers.com, linux-kernel@...r.kernel.org,
 syzkaller-bugs@...glegroups.com, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] comedi: aio_iiro_16: Prevent invlaid irq number

Ian Abbott <abbotti@....co.uk> writes:

> On 08/07/2025 13:37, Edward Adam Davis wrote:
>> The irq number 0x2166 passed by the reproducer is too large and is not
>> within the supported range [2-7, 10-12, 14, or 15], which triggers the oob.
>> Fixes: ad7a370c8be4 (“staging: comedi: aio_iiro_16: add command
>> support for change of state detection”)
>> Reported-by: syzbot+f1bb7e4ea47ea12b535c@...kaller.appspotmail.com
>> Closes: <https://syzkaller.appspot.com/bug?extid=f1bb7e4ea47ea12b535c>
>> Signed-off-by: Edward Adam Davis <eadavis@...com>
>> —
>>   drivers/comedi/drivers/aio_iiro_16.c | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>> diff –git a/drivers/comedi/drivers/aio_iiro_16.c
>> b/drivers/comedi/drivers/aio_iiro_16.c
>> index b00fab0b89d4..e43730f00c8b 100644
>> — a/drivers/comedi/drivers/aio_iiro_16.c
>> +++ b/drivers/comedi/drivers/aio_iiro_16.c
>> @@ -177,7 +177,8 @@ static int aio_iiro_16_attach(struct comedi_device *dev,
>>   	 * Digital input change of state interrupts are optionally supported
>>   	 * using IRQ 2-7, 10-12, 14, or 15.
>>   	 */
>> -	if ((1 << it->options[1]) & 0xdcfc) {
>> +	if (it->options[1] > 1 && it->options[1] < 16 &&
>> +	    (1 << it->options[1]) & 0xdcfc) {
>>   		ret = request_irq(it->options[1], aio_iiro_16_cos, 0,
>>   				  dev->board_name, dev);
>>   		if (ret == 0)
>
> The patch is fine apart from the misspelling of “invalid” in the subject
> line, but I’d already submitted a patch for this before syzbot detected
> it:
>
> <https://lore.kernel.org/lkml/20250707134622.75403-1-abbotti@mev.co.uk/>

#syz fix: comedi: aio_iiro_16: Fix bit shift out of bounds

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ