| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025090546-CVE-2025-39684-fcce@gregkh> Date: Fri, 5 Sep 2025 19:20:58 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-39684: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole `insn->n` samples, so that there is an information leak. There is a similar syzbot report for `do_insnlist_ioctl()`, although it does not have a reproducer for it at the time of writing. One culprit is `insn_rw_emulate_bits()` which is used as the handler for `INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have a specific handler for that instruction, but do have an `INSN_BITS` handler. For `INSN_READ` it only fills in at most 1 sample, so if `insn->n` is greater than 1, the remaining `insn->n - 1` samples copied to userspace will be uninitialized kernel data. Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It never returns an error, even if it fails to fill the buffer. Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure that uninitialized parts of the allocated buffer are zeroed before handling each instruction. Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not always necessary to clear the whole buffer. The Linux kernel CVE team has assigned CVE-2025-39684 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.29 with commit ed9eccbe8970f6eedc1b978c157caf1251a896d4 and fixed in 5.15.190 with commit 868a1b68dcd9f2805bb86aa64862402f785d8c4a Issue introduced in 2.6.29 with commit ed9eccbe8970f6eedc1b978c157caf1251a896d4 and fixed in 6.1.149 with commit ff4a7c18799c7fe999fa56c5cf276e13866b8c1a Issue introduced in 2.6.29 with commit ed9eccbe8970f6eedc1b978c157caf1251a896d4 and fixed in 6.6.103 with commit d84f6e77ebe3359394df32ecd97e0d76a25283dc Issue introduced in 2.6.29 with commit ed9eccbe8970f6eedc1b978c157caf1251a896d4 and fixed in 6.12.44 with commit f3b0c9ec54736f3b8118f93a473d22e11ee65743 Issue introduced in 2.6.29 with commit ed9eccbe8970f6eedc1b978c157caf1251a896d4 and fixed in 6.16.4 with commit aecf0d557ddd95ce68193a5ee1dc4c87415ff08a Issue introduced in 2.6.29 with commit ed9eccbe8970f6eedc1b978c157caf1251a896d4 and fixed in 6.17-rc3 with commit 3cd212e895ca2d58963fdc6422502b10dd3966bb Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-39684 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/comedi/comedi_fops.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743 https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb
Powered by blists - more mailing lists