| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a687f917-6e4f-4452-8189-d4b539c533f0@mev.co.uk>
Date: Thu, 23 Oct 2025 15:28:28 +0100
From: Ian Abbott <abbotti@....co.uk>
To: Nikita Zhandarovich <n.zhandarovich@...tech.ru>,
H Hartley Sweeten <hsweeten@...ionengravers.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH v2] comedi: pcl818: fix null-ptr-deref in
pcl818_ai_cancel()
On 23/10/2025 15:14, Nikita Zhandarovich wrote:
> Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from
> the fact that in case of early device detach via pcl818_detach(),
> subdevice dev->read_subdev may not have initialized its pointer to
> &struct comedi_async as intended. Thus, any such dereferencing of
> &s->async->cmd will lead to general protection fault and kernel crash.
>
> Mitigate this problem by removing a call to pcl818_ai_cancel() from
> pcl818_detach() altogether. This way, if the subdevice setups its
> support for async commands, everything async-related will be
> handled via subdevice's own ->cancel() function in
> comedi_device_detach_locked() even before pcl818_detach(). If no
> support for asynchronous commands is provided, there is no need
> to cancel anything either.
>
> [1] Syzbot crash:
> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
> KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
> CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
> RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762
> ...
> Call Trace:
> <TASK>
> pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115
> comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207
> do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]
> comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:597 [inline]
> ...
>
> Reported-by: syzbot+fce5d9d5bd067d6fbe9b@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=fce5d9d5bd067d6fbe9b
> Fixes: 00aba6e7b565 ("staging: comedi: pcl818: remove 'neverending_ai' from private data")
> Cc: stable@...r.kernel.org
> Signed-off-by: Nikita Zhandarovich <n.zhandarovich@...tech.ru>
> ---
> v1 -> v2: Switch to a better, more logical approach, put forward by
> Ian Abbott <abbotti@....co.uk>, instead of doing an awkward
> check in pcl818_ai_cancel() itself. Adjust commit description.
>
> P.S. I've chosen to keep the old Fixes: tag. Not sure it's best,
> but it's at least partially correct.
>
> drivers/comedi/drivers/pcl818.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/comedi/drivers/pcl818.c b/drivers/comedi/drivers/pcl818.c
> index 4127adcfb229..06fe06396f23 100644
> --- a/drivers/comedi/drivers/pcl818.c
> +++ b/drivers/comedi/drivers/pcl818.c
> @@ -1111,10 +1111,9 @@ static void pcl818_detach(struct comedi_device *dev)
> {
> struct pcl818_private *devpriv = dev->private;
>
> - if (devpriv) {
> - pcl818_ai_cancel(dev, dev->read_subdev);
> + if (devpriv)
> pcl818_reset(dev);
> - }
> +
> pcl818_free_dma(dev);
> comedi_legacy_detach(dev);
> }
Looks good. Thanks for the patch!
Reviewed-by: Ian Abbott <abbotti@....co.uk>
--
-=( Ian Abbott <abbotti@....co.uk> || MEV Ltd. is a company )=-
-=( registered in England & Wales. Regd. number: 02862268. )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-
Powered by blists - more mailing lists