CVE-2025-39684 - Vulnerability Details

Link	Providers
https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb
https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a
https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a
https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc
https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743
https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole `insn->n` samples, so that there is an information leak. There is a similar syzbot report for `do_insnlist_ioctl()`, although it does not have a reproducer for it at the time of writing. One culprit is `insn_rw_emulate_bits()` which is used as the handler for `INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have a specific handler for that instruction, but do have an `INSN_BITS` handler. For `INSN_READ` it only fills in at most 1 sample, so if `insn->n` is greater than 1, the remaining `insn->n - 1` samples copied to userspace will be uninitialized kernel data. Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It never returns an error, even if it fails to fill the buffer. Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure that uninitialized parts of the allocated buffer are zeroed before handling each instruction. Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not always necessary to clear the whole buffer.
Title		comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
References		https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743 https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39684", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.113Z", "datePublished": "2025-09-05T17:20:50.827Z", "dateUpdated": "2025-09-05T17:20:50.827Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-05T17:20:50.827Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()\n\nsyzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel\nbuffer is allocated to hold `insn->n` samples (each of which is an\n`unsigned int`). For some instruction types, `insn->n` samples are\ncopied back to user-space, unless an error code is being returned. The\nproblem is that not all the instruction handlers that need to return\ndata to userspace fill in the whole `insn->n` samples, so that there is\nan information leak. There is a similar syzbot report for\n`do_insnlist_ioctl()`, although it does not have a reproducer for it at\nthe time of writing.\n\nOne culprit is `insn_rw_emulate_bits()` which is used as the handler for\n`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have\na specific handler for that instruction, but do have an `INSN_BITS`\nhandler. For `INSN_READ` it only fills in at most 1 sample, so if\n`insn->n` is greater than 1, the remaining `insn->n - 1` samples copied\nto userspace will be uninitialized kernel data.\n\nAnother culprit is `vm80xx_ai_insn_read()` in the \"vm80xx\" driver. It\nnever returns an error, even if it fails to fill the buffer.\n\nFix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure\nthat uninitialized parts of the allocated buffer are zeroed before\nhandling each instruction.\n\nThanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix\nreplaced the call to `kmalloc_array()` with `kcalloc()`, but it is not\nalways necessary to clear the whole buffer."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/comedi/comedi_fops.c"], "versions": [{"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "lessThan": "868a1b68dcd9f2805bb86aa64862402f785d8c4a", "status": "affected", "versionType": "git"}, {"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "lessThan": "ff4a7c18799c7fe999fa56c5cf276e13866b8c1a", "status": "affected", "versionType": "git"}, {"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "lessThan": "d84f6e77ebe3359394df32ecd97e0d76a25283dc", "status": "affected", "versionType": "git"}, {"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "lessThan": "f3b0c9ec54736f3b8118f93a473d22e11ee65743", "status": "affected", "versionType": "git"}, {"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "lessThan": "aecf0d557ddd95ce68193a5ee1dc4c87415ff08a", "status": "affected", "versionType": "git"}, {"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "lessThan": "3cd212e895ca2d58963fdc6422502b10dd3966bb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/comedi/comedi_fops.c"], "versions": [{"version": "2.6.29", "status": "affected"}, {"version": "0", "lessThan": "2.6.29", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.190", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.149", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.103", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.44", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.4", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "5.15.190"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.1.149"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.6.103"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.12.44"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.16.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.17-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a"}, {"url": "https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a"}, {"url": "https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc"}, {"url": "https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743"}, {"url": "https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a"}, {"url": "https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb"}], "title": "comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()\n\nsyzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel\nbuffer is allocated to hold `insn->n` samples (each of which is an\n`unsigned int`). For some instruction types, `insn->n` samples are\ncopied back to user-space, unless an error code is being returned. The\nproblem is that not all the instruction handlers that need to return\ndata to userspace fill in the whole `insn->n` samples, so that there is\nan information leak. There is a similar syzbot report for\n`do_insnlist_ioctl()`, although it does not have a reproducer for it at\nthe time of writing.\n\nOne culprit is `insn_rw_emulate_bits()` which is used as the handler for\n`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have\na specific handler for that instruction, but do have an `INSN_BITS`\nhandler. For `INSN_READ` it only fills in at most 1 sample, so if\n`insn->n` is greater than 1, the remaining `insn->n - 1` samples copied\nto userspace will be uninitialized kernel data.\n\nAnother culprit is `vm80xx_ai_insn_read()` in the \"vm80xx\" driver. It\nnever returns an error, even if it fails to fill the buffer.\n\nFix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure\nthat uninitialized parts of the allocated buffer are zeroed before\nhandling each instruction.\n\nThanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix\nreplaced the call to `kmalloc_array()` with `kcalloc()`, but it is not\nalways necessary to clear the whole buffer."}], "id": "CVE-2025-39684", "lastModified": "2025-09-05T18:15:45.020", "metrics": {}, "published": "2025-09-05T18:15:45.020", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object