From: Greg Kroah-Hartman Date: Sun, 24 Aug 2025 07:50:19 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.297~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ec771371c368c5dfa7a58ddd5616358ae6812389;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch --- diff --git a/queue-5.10/comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch b/queue-5.10/comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch new file mode 100644 index 0000000000..3561f00daf --- /dev/null +++ b/queue-5.10/comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch @@ -0,0 +1,79 @@ +From abbotti@mev.co.uk Thu Jul 24 20:13:25 2025 +From: Ian Abbott +Date: Thu, 24 Jul 2025 19:12:49 +0100 +Subject: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large +To: stable@vger.kernel.org +Cc: Ian Abbott , syzbot+d6995b62e5ac7d79557a@syzkaller.appspotmail.com, Greg Kroah-Hartman +Message-ID: <20250724181257.291722-1-abbotti@mev.co.uk> + +From: Ian Abbott + +[ Upstream commit 08ae4b20f5e82101d77326ecab9089e110f224cc ] + +The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to +hold the array of `struct comedi_insn`, getting the length from the +`n_insns` member of the `struct comedi_insnlist` supplied by the user. +The allocation will fail with a WARNING and a stack dump if it is too +large. + +Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` +value is unreasonable. + +Define the limit on the `n_insns` value in the `MAX_INSNS` macro. Set +this to the same value as `MAX_SAMPLES` (65536), which is the maximum +allowed sum of the values of the member `n` in the array of `struct +comedi_insn`, and sensible comedi instructions will have an `n` of at +least 1. + +Reported-by: syzbot+d6995b62e5ac7d79557a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=d6995b62e5ac7d79557a +Fixes: ed9eccbe8970 ("Staging: add comedi core") +Tested-by: Ian Abbott +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250704120405.83028-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/comedi_fops.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -1607,6 +1607,16 @@ error: + return i; + } + ++#define MAX_INSNS MAX_SAMPLES ++static int check_insnlist_len(struct comedi_device *dev, unsigned int n_insns) ++{ ++ if (n_insns > MAX_INSNS) { ++ dev_dbg(dev->class_dev, "insnlist length too large\n"); ++ return -EINVAL; ++ } ++ return 0; ++} ++ + /* + * COMEDI_INSN ioctl + * synchronous instruction +@@ -2261,6 +2271,9 @@ static long comedi_unlocked_ioctl(struct + rc = -EFAULT; + break; + } ++ rc = check_insnlist_len(dev, insnlist.n_insns); ++ if (rc) ++ break; + insns = kcalloc(insnlist.n_insns, sizeof(*insns), GFP_KERNEL); + if (!insns) { + rc = -ENOMEM; +@@ -3112,6 +3125,9 @@ static int compat_insnlist(struct file * + if (copy_from_user(&insnlist32, compat_ptr(arg), sizeof(insnlist32))) + return -EFAULT; + ++ rc = check_insnlist_len(dev, insnlist32.n_insns); ++ if (rc) ++ return rc; + insns = kcalloc(insnlist32.n_insns, sizeof(*insns), GFP_KERNEL); + if (!insns) + return -ENOMEM; diff --git a/queue-5.10/series b/queue-5.10/series index 84372b19d0..f7fa39d321 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -434,3 +434,4 @@ block-make-req_op_zone_finish-a-write-operation.patch hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch +comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch