2.2 KiB
CVE-2025-39684
Description
In the Linux kernel, the following vulnerability has been resolved:comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()syzbot reports a KMSAN kernel-infoleak in do_insn_ioctl(). A kernelbuffer is allocated to hold insn->n samples (each of which is anunsigned int). For some instruction types, insn->n samples arecopied back to user-space, unless an error code is being returned. Theproblem is that not all the instruction handlers that need to returndata to userspace fill in the whole insn->n samples, so that there isan information leak. There is a similar syzbot report fordo_insnlist_ioctl(), although it does not have a reproducer for it atthe time of writing.One culprit is insn_rw_emulate_bits() which is used as the handler forINSN_READ or INSN_WRITE instructions for subdevices that do not havea specific handler for that instruction, but do have an INSN_BITShandler. For INSN_READ it only fills in at most 1 sample, so ifinsn->n is greater than 1, the remaining insn->n - 1 samples copiedto userspace will be uninitialized kernel data.Another culprit is vm80xx_ai_insn_read() in the "vm80xx" driver. Itnever returns an error, even if it fails to fill the buffer.Fix it in do_insn_ioctl() and do_insnlist_ioctl() by making surethat uninitialized parts of the allocated buffer are zeroed beforehandling each instruction.Thanks to Arnaud Lecomte for their fix to do_insn_ioctl(). That fixreplaced the call to kmalloc_array() with kcalloc(), but it is notalways necessary to clear the whole buffer.
POC
Reference
No PoCs from references.