5.5

CVE-2025-39684

comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()

In the Linux kernel, the following vulnerability has been resolved:

comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()

syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`.  A kernel
buffer is allocated to hold `insn->n` samples (each of which is an
`unsigned int`).  For some instruction types, `insn->n` samples are
copied back to user-space, unless an error code is being returned.  The
problem is that not all the instruction handlers that need to return
data to userspace fill in the whole `insn->n` samples, so that there is
an information leak.  There is a similar syzbot report for
`do_insnlist_ioctl()`, although it does not have a reproducer for it at
the time of writing.

One culprit is `insn_rw_emulate_bits()` which is used as the handler for
`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have
a specific handler for that instruction, but do have an `INSN_BITS`
handler.  For `INSN_READ` it only fills in at most 1 sample, so if
`insn->n` is greater than 1, the remaining `insn->n - 1` samples copied
to userspace will be uninitialized kernel data.

Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver.  It
never returns an error, even if it fails to fill the buffer.

Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure
that uninitialized parts of the allocated buffer are zeroed before
handling each instruction.

Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`.  That fix
replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not
always necessary to clear the whole buffer.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.29 < 5.15.190
LinuxLinux Kernel Version >= 5.16 < 6.1.149
LinuxLinux Kernel Version >= 6.2 < 6.6.103
LinuxLinux Kernel Version >= 6.7 < 6.12.44
LinuxLinux Kernel Version >= 6.13 < 6.16.4
LinuxLinux Kernel Version6.17 Updaterc1
LinuxLinux Kernel Version6.17 Updaterc2
DebianDebian Linux Version11.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.16% 0.057
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-908 Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a
Patch
https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a
Patch
https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc
Patch
https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743
Patch
https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a
Patch
https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb
Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
Third Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-032379.html