2.3 KiB
CVE-2025-38480
Description
In the Linux kernel, the following vulnerability has been resolved:comedi: Fix use of uninitialized data in insn_rw_emulate_bits()For Comedi INSN_READ and INSN_WRITE instructions on "digital"subdevices (subdevice types COMEDI_SUBD_DI, COMEDI_SUBD_DO, andCOMEDI_SUBD_DIO), it is common for the subdevice driver not to haveinsn_read and insn_write handler functions, but to have aninsn_bits handler function for handling Comedi INSN_BITSinstructions. In that case, the subdevice's insn_read and/orinsn_write function handler pointers are set to point to theinsn_rw_emulate_bits() function by __comedi_device_postconfig().For INSN_WRITE, insn_rw_emulate_bits() currently assumes that thesupplied data[0] value is a valid copy from user memory. It will atleast exist because do_insnlist_ioctl() and do_insn_ioctl() in"comedi_fops.c" ensure at lease MIN_SAMPLES (16) elements areallocated. However, if insn->n is 0 (which is allowable forINSN_READ and INSN_WRITE instructions, then data[0] may containuninitialized data, and certainly contains invalid data, possibly from adifferent instruction in the array of instructions handled bydo_insnlist_ioctl(). This will result in an incorrect value beingwritten to the digital output channel (or to the digital input/outputchannel if configured as an output), and may be reflected in theinternal saved state of the channel.Fix it by returning 0 early if insn->n is 0, before reaching the codethat accesses data[0]. Previously, the function always returned 1 onsuccess, but it is supposed to be the number of data samples actuallyread or written up to insn->n, which is 0 in this case.
POC
Reference
No PoCs from references.