CVE-2025-38481

Summary

In the Linux kernel, the following vulnerability has been resolved:

comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large

The handling of the COMEDI_INSNLIST ioctl allocates a kernel buffer to hold the array of struct comedi_insn, getting the length from the n_insns member of the struct comedi_insnlist supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large.

Avoid that by failing with an -EINVAL error if the supplied n_insns value is unreasonable.

Define the limit on the n_insns value in the MAX_INSNS macro. Set this to the same value as MAX_SAMPLES (65536), which is the maximum allowed sum of the values of the member n in the array of struct comedi_insn, and sensible comedi instructions will have an n of at least 1.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxed9eccbe8970f6eedc1b978c157caf1251a896d4 < 454d732dfd0aef7d7aa950c409215ca06d717e93affected
LinuxLinuxed9eccbe8970f6eedc1b978c157caf1251a896d4 < c68257588e87f45530235701a42496b7e9e56adbaffected
LinuxLinuxed9eccbe8970f6eedc1b978c157caf1251a896d4 < 69dc06b9514522de532e997a21d035cd29b0db44affected
LinuxLinuxed9eccbe8970f6eedc1b978c157caf1251a896d4 < d4c73ce13f5b5a0fe0319f1f352ff602f0ace8e3affected
LinuxLinuxed9eccbe8970f6eedc1b978c157caf1251a896d4 < c9d3d9667443caafa804cd07940aeaef8e53aa90affected
LinuxLinuxed9eccbe8970f6eedc1b978c157caf1251a896d4 < 992d600f284e719242a434166e86c1999649b71caffected
LinuxLinuxed9eccbe8970f6eedc1b978c157caf1251a896d4 < e3b8322cc8081d142ee4c1a43e1d702bdba1ed76affected
LinuxLinuxed9eccbe8970f6eedc1b978c157caf1251a896d4 < 08ae4b20f5e82101d77326ecab9089e110f224ccaffected
LinuxLinux2.6.29affected
LinuxLinux0 < 2.6.29unaffected
LinuxLinux5.4.297 <= 5.4.*unaffected
LinuxLinux5.10.241 <= 5.10.*unaffected
LinuxLinux5.15.190 <= 5.15.*unaffected
LinuxLinux6.1.147 <= 6.1.*unaffected
LinuxLinux6.6.100 <= 6.6.*unaffected
LinuxLinux6.12.40 <= 6.12.*unaffected
LinuxLinux6.15.8 <= 6.15.*unaffected
LinuxLinux6.16 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References