CVE-2025-39684

Summary

In the Linux kernel, the following vulnerability has been resolved:

comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()

syzbot reports a KMSAN kernel-infoleak in do_insn_ioctl(). A kernel buffer is allocated to hold insn->n samples (each of which is an unsigned int). For some instruction types, insn->n samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole insn->n samples, so that there is an information leak. There is a similar syzbot report for do_insnlist_ioctl(), although it does not have a reproducer for it at the time of writing.

One culprit is insn_rw_emulate_bits() which is used as the handler for INSN_READ or INSN_WRITE instructions for subdevices that do not have a specific handler for that instruction, but do have an INSN_BITS handler. For INSN_READ it only fills in at most 1 sample, so if insn->n is greater than 1, the remaining insn->n - 1 samples copied to userspace will be uninitialized kernel data.

Another culprit is vm80xx_ai_insn_read() in the "vm80xx" driver. It never returns an error, even if it fails to fill the buffer.

Fix it in do_insn_ioctl() and do_insnlist_ioctl() by making sure that uninitialized parts of the allocated buffer are zeroed before handling each instruction.

Thanks to Arnaud Lecomte for their fix to do_insn_ioctl(). That fix replaced the call to kmalloc_array() with kcalloc(), but it is not always necessary to clear the whole buffer.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxed9eccbe8970f6eedc1b978c157caf1251a896d4 < 868a1b68dcd9f2805bb86aa64862402f785d8c4aaffected
LinuxLinuxed9eccbe8970f6eedc1b978c157caf1251a896d4 < ff4a7c18799c7fe999fa56c5cf276e13866b8c1aaffected
LinuxLinuxed9eccbe8970f6eedc1b978c157caf1251a896d4 < d84f6e77ebe3359394df32ecd97e0d76a25283dcaffected
LinuxLinuxed9eccbe8970f6eedc1b978c157caf1251a896d4 < f3b0c9ec54736f3b8118f93a473d22e11ee65743affected
LinuxLinuxed9eccbe8970f6eedc1b978c157caf1251a896d4 < aecf0d557ddd95ce68193a5ee1dc4c87415ff08aaffected
LinuxLinuxed9eccbe8970f6eedc1b978c157caf1251a896d4 < 3cd212e895ca2d58963fdc6422502b10dd3966bbaffected
LinuxLinux2.6.29affected
LinuxLinux0 < 2.6.29unaffected
LinuxLinux5.15.190 <= 5.15.*unaffected
LinuxLinux6.1.149 <= 6.1.*unaffected
LinuxLinux6.6.103 <= 6.6.*unaffected
LinuxLinux6.12.44 <= 6.12.*unaffected
LinuxLinux6.16.4 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

Additional References

References