| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2dd7ba02-6af0-4b66-9a72-d06da8b0057d@mev.co.uk> Date: Thu, 4 Dec 2025 17:11:38 +0000 From: Ian Abbott <abbotti@....co.uk> To: 李天宇 <2200013188@....pku.edu.cn>, linux-kernel <linux-kernel@...r.kernel.org> Cc: hsweeten <hsweeten@...ionengravers.com>, xujiakai2025 <xujiakai2025@...as.ac.cn>, "zhaoruilin22@...ls.ucas.ac.cn" <zhaoruilin22@...ls.ucas.ac.cn> Subject: Re: [BUG] Drivers/8255: Page fault in comedi_8255.c On 04/12/2025 12:03, 李天宇 wrote: > Hi Ian, > > Thank you very much for the analysis and your helpful suggestions. > > Following your hint, I performed additional experiments by modifying the I/O base address passed through COMEDI_DEVCONFIG. The results are quite interesting: > > - Using 0x100, 0x200, or 0x300 as the base address consistently triggers a kernel panic (page fault in subdev_8255_io). > - Removing the value entirely from the options array avoids the crash (I/O port conflict remains). > - Using 0x400 also does *not* trigger the issue. > > This seems to support your point that certain I/O port ranges may be problematic, and the fault is not solely caused by the conversion from negative values to an unsigned address. Instead, it may indeed be related to specific port regions conflicting or being unmapped during device initialization. There must be something special about those I/O port addresses on the test system, but nothing that the 8255 driver should care about. It's a non-PnP driver and the system administrator is supposed to supply the correct information when using the COMEDI_DEVCONFIG ioctl (via the comedi_config command). It's not unique to comedi. For example, non-PnP serial ports can be configured in the same way using the TIOCSSERIAL ioctl (via the setserial command). > At this point, I am not sufficiently familiar with the driver internals to confidently determine whether this behavior is expected or if it should be considered a bug. Given the reproducibility and the fact that unvalidated base addresses can lead to a direct page fault, I would like to ask: > > Do you think this should be treated as a bug in the 8255 driver, possibly requiring additional validation or rejection of unsupported I/O port ranges? If so, I would be happy to continue testing or assist in any way, but further guidance from someone experienced with this driver would be greatly appreciated. I think it does sufficient validation on the base address, but one improvement would be to only allow base addresses aligned to a 4-byte boundary, because (base & 3) != 0 does not make sense for an 8255 chip. One thing that will affect the fuzzing tests is that the "8255" driver in "linux-next" now returns an error as soon as it fails to reserve any I/O port region, so unless the special base addresses (0x100 etc.) appear early in the list before the conflicting base addresses, it won't crash. Best regards, Ian -- -=( Ian Abbott <abbotti@....co.uk> || MEV Ltd. is a company )=- -=( registered in England & Wales. Regd. number: 02862268. )=- -=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=- -=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-
Powered by blists - more mailing lists