{"id":"CVE-2025-68257","summary":"comedi: check device's attached status in compat ioctls","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: check device's attached status in compat ioctls\n\nSyzbot identified an issue [1] that crashes kernel, seemingly due to\nunexistent callback dev-\u003eget_valid_routes(). By all means, this should\nnot occur as said callback must always be set to\nget_zero_valid_routes() in __comedi_device_postconfig().\n\nAs the crash seems to appear exclusively in i386 kernels, at least,\njudging from [1] reports, the blame lies with compat versions\nof standard IOCTL handlers. Several of them are modified and\ndo not use comedi_unlocked_ioctl(). While functionality of these\nioctls essentially copy their original versions, they do not\nhave required sanity check for device's attached status. This,\nin turn, leads to a possibility of calling select IOCTLs on a\ndevice that has not been properly setup, even via COMEDI_DEVCONFIG.\n\nDoing so on unconfigured devices means that several crucial steps\nare missed, for instance, specifying dev-\u003eget_valid_routes()\ncallback.\n\nFix this somewhat crudely by ensuring device's attached status before\nperforming any ioctls, improving logic consistency between modern\nand compat functions.\n\n[1] Syzbot report:\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nCR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]\n parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401\n do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594\n compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]\n comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273\n __do_compat_sys_ioctl fs/ioctl.c:695 [inline]\n __se_compat_sys_ioctl fs/ioctl.c:638 [inline]\n __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n...","modified":"2026-03-31T17:30:03.156232Z","published":"2025-12-16T14:44:59.535Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:20207-1","SUSE-SU-2026:20220-1","SUSE-SU-2026:20228-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2025:15836-1","openSUSE-SU-2026:10301-1","openSUSE-SU-2026:20145-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68257.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0de7d9cd07a2671fa6089173bccc0b2afe6b93ee"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4836ba483a22ebd076c8faaf8293a7295fad4142"},{"type":"WEB","url":"https://git.kernel.org/stable/c/573b07d2e3d473ee7eb625ef87519922cf01168d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7141915bf0c41cb57d83cdbaf695b8c731b16b71"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aac80e912de306815297a3b74f0426873ffa7dc3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b975f91de5f8f63cf490f0393775cc795f8b0557"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f13895c03620933a58907e3250016f087e39b78c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f6e629dfe6f590091c662a87c9fcf118b1c1c7dc"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68257.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68257"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3fbfd2223a271426509830e6340c386a1054cfad"},{"fixed":"4836ba483a22ebd076c8faaf8293a7295fad4142"},{"fixed":"7141915bf0c41cb57d83cdbaf695b8c731b16b71"},{"fixed":"f13895c03620933a58907e3250016f087e39b78c"},{"fixed":"b975f91de5f8f63cf490f0393775cc795f8b0557"},{"fixed":"f6e629dfe6f590091c662a87c9fcf118b1c1c7dc"},{"fixed":"573b07d2e3d473ee7eb625ef87519922cf01168d"},{"fixed":"aac80e912de306815297a3b74f0426873ffa7dc3"},{"fixed":"0de7d9cd07a2671fa6089173bccc0b2afe6b93ee"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68257.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.8.0"},{"fixed":"5.10.248"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.198"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.160"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.62"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.12"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.18.0"},{"fixed":"6.18.1"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68257.json"}}],"schema_version":"1.7.5"}