Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole `insn->n` samples, so that there is an information leak. There is a similar syzbot report for `do_insnlist_ioctl()`, although it does not have a reproducer for it at the time of writing. One culprit is `insn_rw_emulate_bits()` which is used as the handler for `INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have a specific handler for that instruction, but do have an `INSN_BITS` handler. For `INSN_READ` it only fills in at most 1 sample, so if `insn->n` is greater than 1, the remaining `insn->n - 1` samples copied to userspace will be uninitialized kernel data. Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It never returns an error, even if it fails to fill the buffer. Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure that uninitialized parts of the allocated buffer are zeroed before handling each instruction. Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not always necessary to clear the whole buffer.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 2.6.29, < 5.15.190 |
| Debian | Debian Linux | 11.0 |
Related Weaknesses (CWE)
References
- https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bbPatch
- https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4aPatch
- https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08aPatch
- https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dcPatch
- https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743Patch
- https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1aPatch
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlThird Party Advisory
- https://cert-portal.siemens.com/productcert/html/ssa-032379.html
FAQ
What is CVE-2025-39684?
CVE-2025-39684 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_i...
How severe is CVE-2025-39684?
CVE-2025-39684 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-39684?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Debian Debian Linux.