DEBIAN-CVE-2025-68332
- Source
- https://security-tracker.debian.org/tracker/CVE-2025-68332
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-68332.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-68332
- Upstream
- Downstream
- Published
- 2025-12-22T17:16:00.910Z
- Modified
- 2026-02-11T08:26:20.070159Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: comedi: c6xdigio: Fix invalid PNP driver unregistration The Comedi low-level driver "c6xdigio" seems to be for a parallel port connected device. When the Comedi core calls the driver's Comedi "attach" handler
c6xdigio_attach()to configure a Comedi to use this driver, it tries to enable the parallel port PNP resources by registering a PNP driver withpnp_register_driver(), but ignores the return value. (Thestruct pnp_driverit uses has only thenameandid_tablemembers filled in.) The driver's Comedi "detach" handlerc6xdigio_detach()unconditionally unregisters the PNP driver withpnp_unregister_driver(). It is possible forc6xdigio_attach()to return an error before it callspnp_register_driver()and it is possible for the call topnp_register_driver()to return an error (that is ignored). In both cases, the driver should not be callingpnp_unregister_driver()as it does inc6xdigio_detach(). (Note thatc6xdigio_detach()will be called by the Comedi core ifc6xdigio_attach()returns an error, or if the Comedi core decides to detach the Comedi device from the driver for some other reason.) The unconditional call topnp_unregister_driver()without a previous successful call topnp_register_driver()will causedriver_unregister()to issue a warning "Unexpected driver unregister!". This was detected by Syzbot [1]. Also, the PNP driver registration and unregistration should be done at module init and exit time, respectively, not when attaching or detaching Comedi devices to the driver. (There might be more than one Comedi device being attached to the driver, although that is unlikely.) Change the driver to do the PNP driver registration at module init time, and the unregistration at module exit time. Sincec6xdigio_detach()now only callscomedi_legacy_detach(), remove the function and change the Comedi driver "detach" handler tocomedi_legacy_detach. ------------------------------------------- [1] Syzbot sample crash report: Unexpected driver unregister! WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driverunregister drivers/base/driver.c:273 [inline] WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driverunregister+0x90/0xb0 drivers/base/driver.c:270 Modules linked in: CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 RIP: 0010:driverunregister drivers/base/driver.c:273 [inline] RIP: 0010:driverunregister+0x90/0xb0 drivers/base/driver.c:270 Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41 RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8 RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660 R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000 FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0 Call Trace: <TASK> comedidevicedetachlocked+0x12f/0xa50 drivers/comedi/drivers.c:207 comedidevicedetach+0x67/0xb0 drivers/comedi/drivers.c:215 comedideviceattach+0x43d/0x900 drivers/comedi/drivers.c:1011 dodevconfigioctl+0x1b1/0x710 drivers/comedi/comedifops.c:872 comediunlockedioctl+0x165d/0x2f00 drivers/comedi/comedifops.c:2178 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:597 [inline] _sesysioctl fs/ioctl.c:583 [inline] _x64sysioctl+0x18e/0x210 fs/ioctl.c:583 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] do_sys ---truncated--- - References
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.162-1
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.12.63-1
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.17.12-1
Affected versions
6.*
Debian:11 / linux-6.1
Package
- Name
- linux-6.1
- Purl
- pkg:deb/debian/linux-6.1?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected