lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20251016110511.3460094-1-n.zhandarovich@fintech.ru>
Date: Thu, 16 Oct 2025 14:05:08 +0300
From: Nikita Zhandarovich <n.zhandarovich@...tech.ru>
To: <syzbot+af53dea94b16396bc646@...kaller.appspotmail.com>, Ian Abbott
	<abbotti@....co.uk>, H Hartley Sweeten <hsweeten@...ionengravers.com>
CC: Nikita Zhandarovich <n.zhandarovich@...tech.ru>, Greg Kroah-Hartman
	<gregkh@...uxfoundation.org>, <linux-kernel@...r.kernel.org>,
	<lvc-project@...uxtesting.org>
Subject: Re: [syzbot] [kernel?] divide error in comedi_inc_scan_progress

> Oops: divide error: 0000 [#1] SMP KASAN PTI
> CPU: 0 UID: 0 PID: 11660 Comm: irq/7-comedi_pa Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
> RIP: 0010:comedi_inc_scan_progress+0x1a4/0x430 drivers/comedi/drivers.c:563

Hi,

I would like to solicit advice on how to properly address this
issue [1], if no one minds.

First, I think both [1] and [2] problems are similar in the way
they are triggered. While there are no syzkaller-side reproducers for
either of them (even console logs do not have proper traces of what
combinations of syscalls provoked wrong division), the blame clearly
lies with comedi driver-specific interrupt handlers
(parport_interrupt, das16m1_interrupt etc.).

Syzkaller at its current state manages to fuzz select comedi drivers
by manually configuring them via COMEDI_DEVCONFIG ioctl. In the course
of do_devconfig_ioctl() and, for instance, parport_attach() functions,
specific irq handlers are enabled (parport_interrupt) and these
handlers in turn interact with async->cmd->XXX values such as
async->cmd->chanlist_len.

However, in the absence of ioctls related to cmd setup, simply
after a single COMEDI_DEVCONFIG, async (and async->cmd) is
initialized in __comedi_device_postconfig_async() with kzalloc.

Thus, when there is an irq is to be dealt with, these "empty"
comedi_async objects and, specifically async->cmd->XXX, are
processed leading to erroneous divisions like in [1] and [2].

The easiest solution, similar to one suggested in [2], is to check for
divisor with zero values. In case of [1], comedi_inc_scan_progress
would look something like this:

    ...
    if (!(s->subdev_flags & SDF_PACKED) && (cmd->chanlist_len != 0)) {
	async->cur_chan += comedi_bytes_to_samples(s, num_bytes);
	async->cur_chan %= cmd->chanlist_len;
    }
    ...

Any suggestions are greatly appreciated!

P.S. To reiterate, I've failed to reproduce this error and this flawed
analysis is theoretical only.

[1] https://syzkaller.appspot.com/bug?extid=af53dea94b16396bc646
[2] https://syzkaller.appspot.com/bug?extid=f6c3c066162d2c43a66c

Regards,
Nikita

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ