CVE-2025-38229

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: cxusb: no longer judge rbuf when the write fails<br /> <br /> syzbot reported a uninit-value in cxusb_i2c_xfer. [1]<br /> <br /> Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw()<br /> succeeds and rlen is greater than 0, the read operation of usb_bulk_msg()<br /> will be executed to read rlen bytes of data from the dvb device into the<br /> rbuf.<br /> <br /> In this case, although rlen is 1, the write operation failed which resulted<br /> in the dvb read operation not being executed, and ultimately variable i was<br /> not initialized.<br /> <br /> [1]<br /> BUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]<br /> BUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196<br /> cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]<br /> cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196<br /> __i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1<br /> i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315<br /> i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343<br /> i2c_master_send include/linux/i2c.h:109 [inline]<br /> i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183<br /> do_loop_readv_writev fs/read_write.c:848 [inline]<br /> vfs_writev+0x963/0x14e0 fs/read_write.c:1057<br /> do_writev+0x247/0x5c0 fs/read_write.c:1101<br /> __do_sys_writev fs/read_write.c:1169 [inline]<br /> __se_sys_writev fs/read_write.c:1166 [inline]<br /> __x64_sys_writev+0x98/0xe0 fs/read_write.c:1166<br /> x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f