[bug] Kernel page fault in COMEDI 8255 driver

Next message: Vivian Wang: "lib/crypto: riscv: crypto_zvkb crashes on selftest if no misaligned vector support"
Previous message: Al Viro: "Re: Forwarded: [PATCH] ipc/mqueue: fix dentry refcount imbalance in prepare_open()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: 许东洁

Date: Sun Nov 30 2025 - 04:10:56 EST

Hello,

A kernel page fault vulnerability was discovered in the COMEDI 8255 subsystem
using the syzkaller fuzzing tool.

The issue occurs when initializing multiple 8255 subdevices with mixed valid
and conflicting I/O port addresses. The driver fails to properly handle the
cleanup of subdevices with port conflicts, leading to invalid memory access.

Specific mechanism:
- In dev_8255_attach() in drivers/comedi/drivers/8255.c, when
__comedi_request_region() fails due to I/O port conflicts, the subdevice
is marked as COMEDI_SUBD_UNUSED
- However, subsequent successful subdevice initializations set global state
that affects all subdevices
- When user space later attempts I/O operations on the conflicting subdevices,
subdev_8255_io() in drivers/comedi/drivers/comedi_8255.c uses invalid
address calculations
- This results in a kernel page fault when executing outb instruction with
invalid I/O address

Crash signature:
BUG: unable to handle kernel paging request in subdev_8255_io
#PF: supervisor write access in kernel mode
#PF: error_code(0x0003) - permissions violation

Call trace:
subdev_8255_io() -> outb() with invalid address

Config file: https://github.com/j1akai/KConfigFuzz_bug/blob/main/x86/mainline-config
Additional fuzzing context(report file, reproduce file, etc.):https://github.com/PLASSICAxu/OS-bug/tree/main/subdev_8255

Acknowledgments,
Xu Dongjie
University of Chinese Academy of Sciences