We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-38480

comedi: Fix use of uninitialized data in insn_rw_emulate_bits()



Description

In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_read` and/or `insn_write` function handler pointers are set to point to the `insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`. For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the supplied `data[0]` value is a valid copy from user memory. It will at least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in "comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are allocated. However, if `insn->n` is 0 (which is allowable for `INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain uninitialized data, and certainly contains invalid data, possibly from a different instruction in the array of instructions handled by `do_insnlist_ioctl()`. This will result in an incorrect value being written to the digital output channel (or to the digital input/output channel if configured as an output), and may be reflected in the internal saved state of the channel. Fix it by returning 0 early if `insn->n` is 0, before reaching the code that accesses `data[0]`. Previously, the function always returned 1 on success, but it is supposed to be the number of data samples actually read or written up to `insn->n`, which is 0 in this case.

Reserved 2025-04-16 | Published 2025-07-28 | Updated 2025-07-28 | Assigner Linux

Product status

Default status
unaffected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 before 3050d197d6bc9ef128944a70210f42d2430b3000
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 before 10f9024a8c824a41827fff1fefefb314c98e2c88
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 before 2af1e7d389c2619219171d23f5b96dbcbb7f9656
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 before 3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 before e9cb26291d009243a4478a7ffb37b3a9175bfce9
affected

Default status
affected

2.6.29
affected

Any version before 2.6.29
unaffected

6.1.147
unaffected

6.6.100
unaffected

6.12.40
unaffected

6.15.8
unaffected

6.16
unaffected

References

git.kernel.org/...c/3050d197d6bc9ef128944a70210f42d2430b3000

git.kernel.org/...c/10f9024a8c824a41827fff1fefefb314c98e2c88

git.kernel.org/...c/2af1e7d389c2619219171d23f5b96dbcbb7f9656

git.kernel.org/...c/3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870

git.kernel.org/...c/e9cb26291d009243a4478a7ffb37b3a9175bfce9

cve.org (CVE-2025-38480)

nvd.nist.gov (CVE-2025-38480)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-38480

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.