Описание
In the Linux kernel, the following vulnerability has been resolved:
comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
syzbot reports a KMSAN kernel-infoleak in do_insn_ioctl(). A kernel
buffer is allocated to hold insn->n samples (each of which is an
unsigned int). For some instruction types, insn->n samples are
copied back to user-space, unless an error code is being returned. The
problem is that not all the instruction handlers that need to return
data to userspace fill in the whole insn->n samples, so that there is
an information leak. There is a similar syzbot report for
do_insnlist_ioctl(), although it does not have a reproducer for it at
the time of writing.
One culprit is insn_rw_emulate_bits() which is used as the handler for
INSN_READ or INSN_WRITE instructions for subdevices that do not have
a specific handler for that instruction, but do have an INSN_BITS
handler. For INSN_READ it only fills in at most 1 sampl...
In the Linux kernel, the following vulnerability has been resolved:
comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
syzbot reports a KMSAN kernel-infoleak in do_insn_ioctl(). A kernel
buffer is allocated to hold insn->n samples (each of which is an
unsigned int). For some instruction types, insn->n samples are
copied back to user-space, unless an error code is being returned. The
problem is that not all the instruction handlers that need to return
data to userspace fill in the whole insn->n samples, so that there is
an information leak. There is a similar syzbot report for
do_insnlist_ioctl(), although it does not have a reproducer for it at
the time of writing.
One culprit is insn_rw_emulate_bits() which is used as the handler for
INSN_READ or INSN_WRITE instructions for subdevices that do not have
a specific handler for that instruction, but do have an INSN_BITS
handler. For INSN_READ it only fills in at most 1 sample, so if
insn->n is greater than 1, the remaining insn->n - 1 samples copied
to userspace will be uninitialized kernel data.
Another culprit is vm80xx_ai_insn_read() in the "vm80xx" driver. It
never returns an error, even if it fails to fill the buffer.
Fix it in do_insn_ioctl() and do_insnlist_ioctl() by making sure
that uninitialized parts of the allocated buffer are zeroed before
handling each instruction.
Thanks to Arnaud Lecomte for their fix to do_insn_ioctl(). That fix
replaced the call to kmalloc_array() with kcalloc(), but it is not
always necessary to clear the whole buffer.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-39684
- https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb
- https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a
- https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a
- https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc
- https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743
- https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
EPSS
CVE ID
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole `insn->n` samples, so that there is an information leak. There is a similar syzbot report for `do_insnlist_ioctl()`, although it does not have a reproducer for it at the time of writing. One culprit is `insn_rw_emulate_bits()` which is used as the handler for `INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have a specific handler for that instruction, but do have an `INSN_BITS` handler. For `INSN_READ` it only fills in at most 1 sample, ...
In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole `insn->n` samples, so that there is an information leak. There is a similar syzbot report for `do_insnlist_ioctl()`, although it does not have a reproducer for it at the time of writing. One culprit is `insn_rw_emulate_bits()` which is used as the handler for `INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have a specific handler for that instruction, but do have an `INSN_BITS` handler. For `INSN_READ` it only fills in at most 1 sample, ...
In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole `insn->n` samples, so that there is an information leak. There is a similar syzbot report for `do_insnlist_ioctl()`, although it does not have a reproducer for it at the time of writing. One culprit is `insn_rw_emulate_bits()` which is used as the handler for `INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have a specific handler for that instruction, but do have an `INSN_BITS` handler. For `INSN_READ` it only fills in at most 1 sample,
comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
In the Linux kernel, the following vulnerability has been resolved: c ...
EPSS