CVE-2025-39684
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
syzbot reports a KMSAN kernel-infoleak in do_insn_ioctl(). A kernel
buffer is allocated to hold insn->n samples (each of which is an
unsigned int). For some instruction types, insn->n samples are
copied back to user-space, unless an error code is being returned. The
problem is that not all the instruction handlers that need to return
data to userspace fill in the whole insn->n samples, so that there is
an information leak. There is a similar syzbot report for
do_insnlist_ioctl(), although it does not have a reproducer for it at
the time of writing.
One culprit is insn_rw_emulate_bits() which is used as the handler for
INSN_READ or INSN_WRITE instructions for subdevices that do not have
a specific handler for that instruction, but do have an INSN_BITS
handler. For INSN_READ it only fills in at most 1 sample, so if
insn->n is greater than 1, the remaining insn->n - 1 samples copied
to userspace will be uninitialized kernel data.
Another culprit is vm80xx_ai_insn_read() in the "vm80xx" driver. It
never returns an error, even if it fails to fill the buffer.
Fix it in do_insn_ioctl() and do_insnlist_ioctl() by making sure
that uninitialized parts of the allocated buffer are zeroed before
handling each instruction.
Thanks to Arnaud Lecomte for their fix to do_insn_ioctl(). That fix
replaced the call to kmalloc_array() with kcalloc(), but it is not
always necessary to clear the whole buffer.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | ed9eccbe8970f6eedc1b978c157caf1251a896d4 < 868a1b68dcd9f2805bb86aa64862402f785d8c4a | affected |
| Linux | Linux | ed9eccbe8970f6eedc1b978c157caf1251a896d4 < ff4a7c18799c7fe999fa56c5cf276e13866b8c1a | affected |
| Linux | Linux | ed9eccbe8970f6eedc1b978c157caf1251a896d4 < d84f6e77ebe3359394df32ecd97e0d76a25283dc | affected |
| Linux | Linux | ed9eccbe8970f6eedc1b978c157caf1251a896d4 < f3b0c9ec54736f3b8118f93a473d22e11ee65743 | affected |
| Linux | Linux | ed9eccbe8970f6eedc1b978c157caf1251a896d4 < aecf0d557ddd95ce68193a5ee1dc4c87415ff08a | affected |
| Linux | Linux | ed9eccbe8970f6eedc1b978c157caf1251a896d4 < 3cd212e895ca2d58963fdc6422502b10dd3966bb | affected |
| Linux | Linux | 2.6.29 | affected |
| Linux | Linux | 0 < 2.6.29 | unaffected |
| Linux | Linux | 5.15.190 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.149 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.103 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.44 <= 6.12.* | unaffected |
| Linux | Linux | 6.16.4 <= 6.16.* | unaffected |
| Linux | Linux | 6.17 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
Additional References
References
- https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a
- https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a
- https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc
- https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743
- https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a
- https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.