1.8 KiB
CVE-2025-39686
Description
In the Linux kernel, the following vulnerability has been resolved:comedi: Make insn_rw_emulate_bits() do insn->n samplesThe insn_rw_emulate_bits() function is used as a default handler forINSN_READ instructions for subdevices that have a handler forINSN_BITS but not for INSN_READ. Similarly, it is used as a defaulthandler for INSN_WRITE instructions for subdevices that have a handlerfor INSN_BITS but not for INSN_WRITE. It works by emulating theINSN_READ or INSN_WRITE instruction handling with a constructedINSN_BITS instruction. However, INSN_READ and INSN_WRITEinstructions are supposed to be able read or write multiple samples,indicated by the insn->n value, but insn_rw_emulate_bits() currentlyonly handles a single sample. For INSN_READ, the comedi core willcopy insn->n samples back to user-space. (That triggered KASANkernel-infoleak errors when insn->n was greater than 1, but that isbeing fixed more generally elsewhere in the comedi core.)Make insn_rw_emulate_bits() either handle insn->n samples, or returnan error, to conform to the general expectation for INSN_READ andINSN_WRITE handlers.
POC
Reference
No PoCs from references.