Home

Description

In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole `insn->n` samples, so that there is an information leak. There is a similar syzbot report for `do_insnlist_ioctl()`, although it does not have a reproducer for it at the time of writing. One culprit is `insn_rw_emulate_bits()` which is used as the handler for `INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have a specific handler for that instruction, but do have an `INSN_BITS` handler. For `INSN_READ` it only fills in at most 1 sample, so if `insn->n` is greater than 1, the remaining `insn->n - 1` samples copied to userspace will be uninitialized kernel data. Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It never returns an error, even if it fails to fill the buffer. Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure that uninitialized parts of the allocated buffer are zeroed before handling each instruction. Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not always necessary to clear the whole buffer.

PUBLISHED Reserved 2025-04-16 | Published 2025-09-05 | Updated 2025-09-29 | Assigner Linux

Product status

Default status
unaffected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 (git) before 868a1b68dcd9f2805bb86aa64862402f785d8c4a
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 (git) before ff4a7c18799c7fe999fa56c5cf276e13866b8c1a
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 (git) before d84f6e77ebe3359394df32ecd97e0d76a25283dc
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 (git) before f3b0c9ec54736f3b8118f93a473d22e11ee65743
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 (git) before aecf0d557ddd95ce68193a5ee1dc4c87415ff08a
affected

ed9eccbe8970f6eedc1b978c157caf1251a896d4 (git) before 3cd212e895ca2d58963fdc6422502b10dd3966bb
affected

Default status
affected

2.6.29
affected

Any version before 2.6.29
unaffected

5.15.190 (semver)
unaffected

6.1.149 (semver)
unaffected

6.6.103 (semver)
unaffected

6.12.44 (semver)
unaffected

6.16.4 (semver)
unaffected

6.17 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/868a1b68dcd9f2805bb86aa64862402f785d8c4a

git.kernel.org/...c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a

git.kernel.org/...c/d84f6e77ebe3359394df32ecd97e0d76a25283dc

git.kernel.org/...c/f3b0c9ec54736f3b8118f93a473d22e11ee65743

git.kernel.org/...c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a

git.kernel.org/...c/3cd212e895ca2d58963fdc6422502b10dd3966bb

cve.org (CVE-2025-39684)

nvd.nist.gov (CVE-2025-39684)

Download JSON