CVE-2025-38229
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/07/2025
Last modified:
08/07/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
media: cxusb: no longer judge rbuf when the write fails<br />
<br />
syzbot reported a uninit-value in cxusb_i2c_xfer. [1]<br />
<br />
Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw()<br />
succeeds and rlen is greater than 0, the read operation of usb_bulk_msg()<br />
will be executed to read rlen bytes of data from the dvb device into the<br />
rbuf.<br />
<br />
In this case, although rlen is 1, the write operation failed which resulted<br />
in the dvb read operation not being executed, and ultimately variable i was<br />
not initialized.<br />
<br />
[1]<br />
BUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]<br />
BUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196<br />
cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]<br />
cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196<br />
__i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1<br />
i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315<br />
i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343<br />
i2c_master_send include/linux/i2c.h:109 [inline]<br />
i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183<br />
do_loop_readv_writev fs/read_write.c:848 [inline]<br />
vfs_writev+0x963/0x14e0 fs/read_write.c:1057<br />
do_writev+0x247/0x5c0 fs/read_write.c:1101<br />
__do_sys_writev fs/read_write.c:1169 [inline]<br />
__se_sys_writev fs/read_write.c:1166 [inline]<br />
__x64_sys_writev+0x98/0xe0 fs/read_write.c:1166<br />
x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21<br />
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br />
do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/04354c529c8246a38ae28f713fd6bfdc028113bc
- https://git.kernel.org/stable/c/390b864e3281802109dfe56e508396683e125653
- https://git.kernel.org/stable/c/41807a5f67420464ac8ee7741504f6b5decb3b7c
- https://git.kernel.org/stable/c/73fb3b92da84637e3817580fa205d48065924e15
- https://git.kernel.org/stable/c/84eca597baa346f09b30accdaeca10ced3eeba2d
- https://git.kernel.org/stable/c/8b35b50b7e98d8e9a0a27257c8424448afae10de
- https://git.kernel.org/stable/c/9bff888c92f5c25effbb876d22a793c2388c1ccc