CVE-2025-39686
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: Make insn_rw_emulate_bits() do insn->n samples
The insn_rw_emulate_bits() function is used as a default handler for
INSN_READ instructions for subdevices that have a handler for
INSN_BITS but not for INSN_READ. Similarly, it is used as a default
handler for INSN_WRITE instructions for subdevices that have a handler
for INSN_BITS but not for INSN_WRITE. It works by emulating the
INSN_READ or INSN_WRITE instruction handling with a constructed
INSN_BITS instruction. However, INSN_READ and INSN_WRITE
instructions are supposed to be able read or write multiple samples,
indicated by the insn->n value, but insn_rw_emulate_bits() currently
only handles a single sample. For INSN_READ, the comedi core will
copy insn->n samples back to user-space. (That triggered KASAN
kernel-infoleak errors when insn->n was greater than 1, but that is
being fixed more generally elsewhere in the comedi core.)
Make insn_rw_emulate_bits() either handle insn->n samples, or return
an error, to conform to the general expectation for INSN_READ and
INSN_WRITE handlers.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | ed9eccbe8970f6eedc1b978c157caf1251a896d4 < ab77e85bd3bc006ef40738f26f446a660813da44 | affected |
| Linux | Linux | ed9eccbe8970f6eedc1b978c157caf1251a896d4 < ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b | affected |
| Linux | Linux | ed9eccbe8970f6eedc1b978c157caf1251a896d4 < 842f307a1d115b24f2bcb2415c4e344f11f55930 | affected |
| Linux | Linux | ed9eccbe8970f6eedc1b978c157caf1251a896d4 < 92352ed2f9ac422181e381c2430c2d0dfb46faa0 | affected |
| Linux | Linux | ed9eccbe8970f6eedc1b978c157caf1251a896d4 < dc0a2f142d655700db43de90cb6abf141b73d908 | affected |
| Linux | Linux | ed9eccbe8970f6eedc1b978c157caf1251a896d4 < 7afba9221f70d4cbce0f417c558879cba0eb5e66 | affected |
| Linux | Linux | 2.6.29 | affected |
| Linux | Linux | 0 < 2.6.29 | unaffected |
| Linux | Linux | 5.15.190 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.149 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.103 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.44 <= 6.12.* | unaffected |
| Linux | Linux | 6.16.4 <= 6.16.* | unaffected |
| Linux | Linux | 6.17 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
Additional References
References
- https://git.kernel.org/stable/c/ab77e85bd3bc006ef40738f26f446a660813da44
- https://git.kernel.org/stable/c/ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b
- https://git.kernel.org/stable/c/842f307a1d115b24f2bcb2415c4e344f11f55930
- https://git.kernel.org/stable/c/92352ed2f9ac422181e381c2430c2d0dfb46faa0
- https://git.kernel.org/stable/c/dc0a2f142d655700db43de90cb6abf141b73d908
- https://git.kernel.org/stable/c/7afba9221f70d4cbce0f417c558879cba0eb5e66
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.