Re: [PATCH] comedi: zero-init data in do_insn_ioctl

From: Ian Abbott
Date: Fri Jul 25 2025 - 06:15:55 EST

Next message: Google: "Re: [PATCHv6 perf/core 09/22] uprobes/x86: Add uprobe syscall to speed up uprobe"
Previous message: shumingf: "[PATCH] soundwire: debugfs: add SCP_SDCA_IntStatX and SCP_SDCA_IntMaskX registers"
In reply to: Lecomte, Arnaud: "Re: [PATCH] comedi: zero-init data in do_insn_ioctl"
Next in thread: Lecomte, Arnaud: "Re: [PATCH] comedi: zero-init data in do_insn_ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 25/07/2025 10:43, Lecomte, Arnaud wrote:

Hi Ian,
Thanks for the feedback, I can send the revision of the patch by the end of the day if it is fine for you.

Actually, I'm just building a (hopefully) fixed version at the moment. I'll add you to the Cc list for it.

On 25/07/2025 10:41, Ian Abbott wrote:

On 24/07/2025 22:04, Arnaud Lecomte wrote:

KMSAN reported a kernel-infoleak when copying instruction data back to
userspace in do_insnlist_ioctl(). The issue occurs because allocated
memory buffers weren't properly initialized (not
zero initialized) before being copied to
userspace, potentially leaking kernel memory.

Reported-by: syzbot+a5e45f768aab5892da5d@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=a5e45f768aab5892da5d
Tested-by: syzbot+a5e45f768aab5892da5d@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Arnaud Lecomte <contact@xxxxxxxxxxxxxx>
---
drivers/comedi/comedi_fops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
index c83fd14dd7ad..15fee829d14c 100644
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1636,7 +1636,7 @@ static int do_insn_ioctl(struct comedi_device *dev,
          n_data = MAX_SAMPLES;
      }
-    data = kmalloc_array(n_data, sizeof(unsigned int), GFP_KERNEL);
+    data = kcalloc(n_data, sizeof(unsigned int), GFP_KERNEL);
      if (!data) {
          ret = -ENOMEM;
          goto error;

I thought my commit 46d8c744136c ("comedi: Fix initialization of data for instructions that write to subdevice" would have fixed this as long as all the driver code was playing nicely, but it seems I was mistaken.

I don't think it is necessary to use kcalloc(). The buffer already gets initialized (partly by `copy_from_user()`) when `insn->insn & INSN_MASK_WRITE` is non-zero, so it just needs to be initialized when `insn->insn & INSN_MASK_WRITE` is zero too.

There is nearly identical code in `do_insnlist_ioctl()` that needs fixing, so it would be better to fix both at the same time.

--
-=( Ian Abbott <abbotti@xxxxxxxxx> || MEV Ltd. is a company )=-
-=( registered in England & Wales. Regd. number: 02862268. )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-

Next message: Google: "Re: [PATCHv6 perf/core 09/22] uprobes/x86: Add uprobe syscall to speed up uprobe"
Previous message: shumingf: "[PATCH] soundwire: debugfs: add SCP_SDCA_IntStatX and SCP_SDCA_IntMaskX registers"
In reply to: Lecomte, Arnaud: "Re: [PATCH] comedi: zero-init data in do_insn_ioctl"
Next in thread: Lecomte, Arnaud: "Re: [PATCH] comedi: zero-init data in do_insn_ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]