Kernel memory corruption bug in some Comedi drivers
6 views
Skip to first unread message
Ian Abbott
Jun 24, 2025, 1:31:57 PMJun 24
to Comedi: Linux Control and Measurement Device Interface
I've just fixed a nasty kernel memory corruption bug in the `comedi`
Linux kernel module built from the out-of-tree Comedi kernel module
sources hosted in the GitHub repository:
https://github.com/Linux-Comedi/comedi
The bug was introduced on 2024-10-21 in commit
7c3fecdf80131afde6008210b8ae79e52b151b25 ("drivers.c: Change buffer
access functions to use buf_page_list[] directly").
The bug affects several of the low-level drivers that support Comedi
commands in the "read" direction, and occurs when the driver writes to
the Comedi acquisition buffer after a Comedi command has been set up by
the user application. The affected Comedi drivers include
addi_apci_3120, adl_pci9111, adl_pci9112, adl_pci9118, cb_pcidas,
cb_pcidas64, comedi_rt_timer, comedi_test, contec_fit, das16, das16m1,
das1800, das800, dt282x, gsc_hpdi, ni_atmio, ni_at_a2150, ni_labpc,
ni_labpc_cs, ni_mio_cs, ni_pcimio, s626, usbduxfast, and usbduxsigma.
The bug does NOT affect these Comedi drivers with "read" command support
(because they use a different function to write to the acquisition
buffer): 8255, adv_pci1710, amplc_dio200, amplc_pc236, amplc_pci230,
comedi_parport, das6402, dmm32at, dt3000, me4000, ni_6527, ni_65xx,
ni_atmio16d, ni_daq_700, ni_pcidio, pcl812, pcl816, pcl818, pcmmio,
pcmuio, quatech_daqp_cs, rtd520 (unless modified to use DMA) and usbdux.
The bug was fixed today, 2024-06-24 15:19 UTC by commit
e61af284b94875fb27d6f373b88226bd8140e51a ("comedi: Fix horrible bug in
comedi_buf_memcpy_to()").
If you think you might be affected by this bug, please pull the latest
sources (or download the latest snapshot) from the above GitHub repository.
The version of the Comedi modules included in the Linux kernel sources
are not affected.
--
-=( Ian Abbott <abb...@mev.co.uk> || MEV Ltd. is a company )=-
-=( registered in England & Wales. Regd. number: 02862268. )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-
Linux kernel module built from the out-of-tree Comedi kernel module
sources hosted in the GitHub repository:
https://github.com/Linux-Comedi/comedi
The bug was introduced on 2024-10-21 in commit
7c3fecdf80131afde6008210b8ae79e52b151b25 ("drivers.c: Change buffer
access functions to use buf_page_list[] directly").
The bug affects several of the low-level drivers that support Comedi
commands in the "read" direction, and occurs when the driver writes to
the Comedi acquisition buffer after a Comedi command has been set up by
the user application. The affected Comedi drivers include
addi_apci_3120, adl_pci9111, adl_pci9112, adl_pci9118, cb_pcidas,
cb_pcidas64, comedi_rt_timer, comedi_test, contec_fit, das16, das16m1,
das1800, das800, dt282x, gsc_hpdi, ni_atmio, ni_at_a2150, ni_labpc,
ni_labpc_cs, ni_mio_cs, ni_pcimio, s626, usbduxfast, and usbduxsigma.
The bug does NOT affect these Comedi drivers with "read" command support
(because they use a different function to write to the acquisition
buffer): 8255, adv_pci1710, amplc_dio200, amplc_pc236, amplc_pci230,
comedi_parport, das6402, dmm32at, dt3000, me4000, ni_6527, ni_65xx,
ni_atmio16d, ni_daq_700, ni_pcidio, pcl812, pcl816, pcl818, pcmmio,
pcmuio, quatech_daqp_cs, rtd520 (unless modified to use DMA) and usbdux.
The bug was fixed today, 2024-06-24 15:19 UTC by commit
e61af284b94875fb27d6f373b88226bd8140e51a ("comedi: Fix horrible bug in
comedi_buf_memcpy_to()").
If you think you might be affected by this bug, please pull the latest
sources (or download the latest snapshot) from the above GitHub repository.
The version of the Comedi modules included in the Linux kernel sources
are not affected.
--
-=( Ian Abbott <abb...@mev.co.uk> || MEV Ltd. is a company )=-
-=( registered in England & Wales. Regd. number: 02862268. )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-
Reply all
Reply to author
Forward
0 new messages