Home

Description

In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_read` and/or `insn_write` function handler pointers are set to point to the `insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`. For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the supplied `data[0]` value is a valid copy from user memory. It will at least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in "comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are allocated. However, if `insn->n` is 0 (which is allowable for `INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain uninitialized data, and certainly contains invalid data, possibly from a different instruction in the array of instructions handled by `do_insnlist_ioctl()`. This will result in an incorrect value being written to the digital output channel (or to the digital input/output channel if configured as an output), and may be reflected in the internal saved state of the channel. Fix it by returning 0 early if `insn->n` is 0, before reaching the code that accesses `data[0]`. Previously, the function always returned 1 on success, but it is supposed to be the number of data samples actually read or written up to `insn->n`, which is 0 in this case.

PUBLISHED Reserved 2025-04-16 | Published 2025-07-28 | Updated 2025-11-03 | Assigner Linux

Product status

Default status
unaffected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 (git) before 4c2981bf30401adfcdbfece4ab6f411f7c5875a1
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 (git) before 16256d7efcf7acc9f39abe21522c4c6b77f67c00
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 (git) before c53570e62b5b28bdb56bb563190227f8307817a5
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 (git) before 3050d197d6bc9ef128944a70210f42d2430b3000
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 (git) before 10f9024a8c824a41827fff1fefefb314c98e2c88
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 (git) before 2af1e7d389c2619219171d23f5b96dbcbb7f9656
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 (git) before 3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 (git) before e9cb26291d009243a4478a7ffb37b3a9175bfce9
affected

Default status
affected

2.6.29
affected

Any version before 2.6.29
unaffected

5.4.297 (semver)
unaffected

5.10.241 (semver)
unaffected

5.15.190 (semver)
unaffected

6.1.147 (semver)
unaffected

6.6.100 (semver)
unaffected

6.12.40 (semver)
unaffected

6.15.8 (semver)
unaffected

6.16 (original_commit_for_fix)
unaffected

References

lists.debian.org/debian-lts-announce/2025/10/msg00008.html

lists.debian.org/debian-lts-announce/2025/10/msg00007.html

git.kernel.org/...c/4c2981bf30401adfcdbfece4ab6f411f7c5875a1

git.kernel.org/...c/16256d7efcf7acc9f39abe21522c4c6b77f67c00

git.kernel.org/...c/c53570e62b5b28bdb56bb563190227f8307817a5

git.kernel.org/...c/3050d197d6bc9ef128944a70210f42d2430b3000

git.kernel.org/...c/10f9024a8c824a41827fff1fefefb314c98e2c88

git.kernel.org/...c/2af1e7d389c2619219171d23f5b96dbcbb7f9656

git.kernel.org/...c/3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870

git.kernel.org/...c/e9cb26291d009243a4478a7ffb37b3a9175bfce9

cve.org (CVE-2025-38480)

nvd.nist.gov (CVE-2025-38480)

Download JSON