CVE-2025-68257

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> comedi: check device&amp;#39;s attached status in compat ioctls<br /> <br /> Syzbot identified an issue [1] that crashes kernel, seemingly due to<br /> unexistent callback dev-&gt;get_valid_routes(). By all means, this should<br /> not occur as said callback must always be set to<br /> get_zero_valid_routes() in __comedi_device_postconfig().<br /> <br /> As the crash seems to appear exclusively in i386 kernels, at least,<br /> judging from [1] reports, the blame lies with compat versions<br /> of standard IOCTL handlers. Several of them are modified and<br /> do not use comedi_unlocked_ioctl(). While functionality of these<br /> ioctls essentially copy their original versions, they do not<br /> have required sanity check for device&amp;#39;s attached status. This,<br /> in turn, leads to a possibility of calling select IOCTLs on a<br /> device that has not been properly setup, even via COMEDI_DEVCONFIG.<br /> <br /> Doing so on unconfigured devices means that several crucial steps<br /> are missed, for instance, specifying dev-&gt;get_valid_routes()<br /> callback.<br /> <br /> Fix this somewhat crudely by ensuring device&amp;#39;s attached status before<br /> performing any ioctls, improving logic consistency between modern<br /> and compat functions.<br /> <br /> [1] Syzbot report:<br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> ...<br /> CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0<br /> Call Trace:<br /> <br /> get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]<br /> parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401<br /> do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594<br /> compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]<br /> comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273<br /> __do_compat_sys_ioctl fs/ioctl.c:695 [inline]<br /> __se_compat_sys_ioctl fs/ioctl.c:638 [inline]<br /> __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638<br /> do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]<br /> ...