CVE-2025-68257

Summary

In the Linux kernel, the following vulnerability has been resolved:

comedi: check device's attached status in compat ioctls

Syzbot identified an issue [1] that crashes kernel, seemingly due to unexistent callback dev->get_valid_routes(). By all means, this should not occur as said callback must always be set to get_zero_valid_routes() in __comedi_device_postconfig().

As the crash seems to appear exclusively in i386 kernels, at least, judging from [1] reports, the blame lies with compat versions of standard IOCTL handlers. Several of them are modified and do not use comedi_unlocked_ioctl(). While functionality of these ioctls essentially copy their original versions, they do not have required sanity check for device's attached status. This, in turn, leads to a possibility of calling select IOCTLs on a device that has not been properly setup, even via COMEDI_DEVCONFIG.

Doing so on unconfigured devices means that several crucial steps are missed, for instance, specifying dev->get_valid_routes() callback.

Fix this somewhat crudely by ensuring device's attached status before performing any ioctls, improving logic consistency between modern and compat functions.

[1] Syzbot report: BUG: kernel NULL pointer dereference, address: 0000000000000000 … CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0 Call Trace: <TASK> get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline] parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401 do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594 compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline] comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273 __do_compat_sys_ioctl fs/ioctl.c:695 [inline] __se_compat_sys_ioctl fs/ioctl.c:638 [inline] __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] …

Affected Software

VendorProductVersion RangeStatus
LinuxLinux3fbfd2223a271426509830e6340c386a1054cfad < 4836ba483a22ebd076c8faaf8293a7295fad4142affected
LinuxLinux3fbfd2223a271426509830e6340c386a1054cfad < 7141915bf0c41cb57d83cdbaf695b8c731b16b71affected
LinuxLinux3fbfd2223a271426509830e6340c386a1054cfad < f13895c03620933a58907e3250016f087e39b78caffected
LinuxLinux3fbfd2223a271426509830e6340c386a1054cfad < b975f91de5f8f63cf490f0393775cc795f8b0557affected
LinuxLinux3fbfd2223a271426509830e6340c386a1054cfad < f6e629dfe6f590091c662a87c9fcf118b1c1c7dcaffected
LinuxLinux3fbfd2223a271426509830e6340c386a1054cfad < 573b07d2e3d473ee7eb625ef87519922cf01168daffected
LinuxLinux3fbfd2223a271426509830e6340c386a1054cfad < aac80e912de306815297a3b74f0426873ffa7dc3affected
LinuxLinux3fbfd2223a271426509830e6340c386a1054cfad < 0de7d9cd07a2671fa6089173bccc0b2afe6b93eeaffected
LinuxLinux5.8affected
LinuxLinux0 < 5.8unaffected
LinuxLinux5.10.248 <= 5.10.*unaffected
LinuxLinux5.15.198 <= 5.15.*unaffected
LinuxLinux6.1.160 <= 6.1.*unaffected
LinuxLinux6.6.120 <= 6.6.*unaffected
LinuxLinux6.12.62 <= 6.12.*unaffected
LinuxLinux6.17.12 <= 6.17.*unaffected
LinuxLinux6.18.1 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References