CVE-2025-39684

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()<br /> <br /> syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel<br /> buffer is allocated to hold `insn-&gt;n` samples (each of which is an<br /> `unsigned int`). For some instruction types, `insn-&gt;n` samples are<br /> copied back to user-space, unless an error code is being returned. The<br /> problem is that not all the instruction handlers that need to return<br /> data to userspace fill in the whole `insn-&gt;n` samples, so that there is<br /> an information leak. There is a similar syzbot report for<br /> `do_insnlist_ioctl()`, although it does not have a reproducer for it at<br /> the time of writing.<br /> <br /> One culprit is `insn_rw_emulate_bits()` which is used as the handler for<br /> `INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have<br /> a specific handler for that instruction, but do have an `INSN_BITS`<br /> handler. For `INSN_READ` it only fills in at most 1 sample, so if<br /> `insn-&gt;n` is greater than 1, the remaining `insn-&gt;n - 1` samples copied<br /> to userspace will be uninitialized kernel data.<br /> <br /> Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It<br /> never returns an error, even if it fails to fill the buffer.<br /> <br /> Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure<br /> that uninitialized parts of the allocated buffer are zeroed before<br /> handling each instruction.<br /> <br /> Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix<br /> replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not<br /> always necessary to clear the whole buffer.