CVE-2025-39686
EUVD-2025-3153805.09.2025, 18:15
In the Linux kernel, the following vulnerability has been resolved: comedi: Make insn_rw_emulate_bits() do insn->n samples The `insn_rw_emulate_bits()` function is used as a default handler for `INSN_READ` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default handler for `INSN_WRITE` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the `INSN_READ` or `INSN_WRITE` instruction handling with a constructed `INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE` instructions are supposed to be able read or write multiple samples, indicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently only handles a single sample. For `INSN_READ`, the comedi core will copy `insn->n` samples back to user-space. (That triggered KASAN kernel-infoleak errors when `insn->n` was greater than 1, but that is being fixed more generally elsewhere in the comedi core.) Make `insn_rw_emulate_bits()` either handle `insn->n` samples, or return an error, to conform to the general expectation for `INSN_READ` and `INSN_WRITE` handlers.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 2.6.29 ≤ 𝑥 < 5.15.190 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.149 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.103 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.44 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.16.4 |
| linux | linux_kernel | 6.17:rc1 |
| linux | linux_kernel | 6.17:rc2 |
| debian | debian_linux | 11.0 |
𝑥
= Vulnerable software versions
Debian Releases
References