lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <AGIA5wD9Jtriv45eZrY*tar9.1.1764422359102.Hmail.2200013188@stu.pku.edu.cn>
Date: Sat, 29 Nov 2025 21:19:19 +0800 (GMT+08:00)
From: 李天宇 <2200013188@....pku.edu.cn>
To: linux-kernel <linux-kernel@...r.kernel.org>
Cc: abbotti <abbotti@....co.uk>, hsweeten <hsweeten@...ionengravers.com>, 
	xujiakai2025 <xujiakai2025@...as.ac.cn>, 
	"zhaoruilin22@...ls.ucas.ac.cn" <zhaoruilin22@...ls.ucas.ac.cn>
Subject: [BUG] Drivers/8255: Page fault in comedi_8255.c

Hi,

There’s a bug in the comedi_8255.c file, specifically related to a page fault. This issue occurs when an illegal address is passed as a parameter to outb() function at line 47. This illegal address is subsequently used in asm code, leading to a page fault when trying to write to -0x70(%rsi).

The bug was initially discovered via a fuzzing framework on Linux kernel version 6.18-rc6, and it was later found reproducible on Linux kernel version 6.18-rc7.

After analyzing the calling stack, I suspect that the root cause may lie in the dev_8255_attach function. Specifically, at 8255.c:70, when reading iobase from it-&gt;options[i], there seems to be no validation for the conversion from int to unsigned long. If a negative value is encountered, it is cast to an illegally large number (e.g., 0xffff…), which may be causing the issue.

I’m not entirely confident in this analysis, but fortunately, there’s enough information provided for your reference:

	Kernel Source: https://git.kernel.org/torvalds/t/linux-6.18-rc7.tar.gz
	Configuration: https://github.com/j1akai/KConfigFuzz_bug/raw/refs/heads/main/x86/mainline-config
	Reproducible Code: https://github.com/Wxm-233/KConfigFuzz_crashes/raw/refs/heads/main/405536bde2d1b503f3903a2a3de2d6dd94cef0a3/repro.cprog
        GCC Info: https://github.com/Wxm-233/KConfigFuzz_crashes/raw/refs/heads/main/405536bde2d1b503f3903a2a3de2d6dd94cef0a3/gccinfo
	Kernel Log(First found): https://github.com/Wxm-233/KConfigFuzz_crashes/raw/refs/heads/main/405536bde2d1b503f3903a2a3de2d6dd94cef0a3/report0
	Kernel Log(Later Repro): https://github.com/Wxm-233/KConfigFuzz_crashes/raw/refs/heads/main/405536bde2d1b503f3903a2a3de2d6dd94cef0a3/report

I hope this information is helpful in identifying and resolving the issue. Thanks for your time and attention.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ