CVE-2025-38478 (GCVE-0-2025-38478)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-07-28 11:21
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: comedi: Fix initialization of data for instructions that write to subdevice Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocate at least `MIN_SAMPLES` (16) data elements to deal with this, but they do not initialize all of that. For Comedi instruction codes that write to the subdevice, the first `insn->n` data elements are copied from user-space, but the remaining elements are left uninitialized. That could be a problem if the subdevice instruction handler reads the uninitialized data. Ensure that the first `MIN_SAMPLES` elements are initialized before calling these instruction handlers, filling the uncopied elements with 0. For `do_insnlist_ioctl()`, the same data buffer elements are used for handling a list of instructions, so ensure the first `MIN_SAMPLES` elements are initialized for each instruction that writes to the subdevice.
References
Impacted products
Vendor Product Version
Linux Linux Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/comedi_fops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d3436638738ace8f101af7bdee2eae1bc38e9b29",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "673ee92bd2d31055bca98a1d96b653f5284289c4",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "c42116dc70af6664526f7aa82cf937824ab42649",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "fe8713fb4e4e82a4f91910d9a41bf0613e69a0b9",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "46d8c744136ce2454aa4c35c138cc06817f92b8e",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/comedi_fops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix initialization of data for instructions that write to subdevice\n\nSome Comedi subdevice instruction handlers are known to access\ninstruction data elements beyond the first `insn-\u003en` elements in some\ncases.  The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions\nallocate at least `MIN_SAMPLES` (16) data elements to deal with this,\nbut they do not initialize all of that.  For Comedi instruction codes\nthat write to the subdevice, the first `insn-\u003en` data elements are\ncopied from user-space, but the remaining elements are left\nuninitialized.  That could be a problem if the subdevice instruction\nhandler reads the uninitialized data.  Ensure that the first\n`MIN_SAMPLES` elements are initialized before calling these instruction\nhandlers, filling the uncopied elements with 0.  For\n`do_insnlist_ioctl()`, the same data buffer elements are used for\nhandling a list of instructions, so ensure the first `MIN_SAMPLES`\nelements are initialized for each instruction that writes to the\nsubdevice."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T11:21:44.210Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d3436638738ace8f101af7bdee2eae1bc38e9b29"
        },
        {
          "url": "https://git.kernel.org/stable/c/673ee92bd2d31055bca98a1d96b653f5284289c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/c42116dc70af6664526f7aa82cf937824ab42649"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe8713fb4e4e82a4f91910d9a41bf0613e69a0b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/46d8c744136ce2454aa4c35c138cc06817f92b8e"
        }
      ],
      "title": "comedi: Fix initialization of data for instructions that write to subdevice",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38478",
    "datePublished": "2025-07-28T11:21:44.210Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-07-28T11:21:44.210Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38478\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-28T12:15:29.733\",\"lastModified\":\"2025-07-29T14:14:29.590\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncomedi: Fix initialization of data for instructions that write to subdevice\\n\\nSome Comedi subdevice instruction handlers are known to access\\ninstruction data elements beyond the first `insn-\u003en` elements in some\\ncases.  The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions\\nallocate at least `MIN_SAMPLES` (16) data elements to deal with this,\\nbut they do not initialize all of that.  For Comedi instruction codes\\nthat write to the subdevice, the first `insn-\u003en` data elements are\\ncopied from user-space, but the remaining elements are left\\nuninitialized.  That could be a problem if the subdevice instruction\\nhandler reads the uninitialized data.  Ensure that the first\\n`MIN_SAMPLES` elements are initialized before calling these instruction\\nhandlers, filling the uncopied elements with 0.  For\\n`do_insnlist_ioctl()`, the same data buffer elements are used for\\nhandling a list of instructions, so ensure the first `MIN_SAMPLES`\\nelements are initialized for each instruction that writes to the\\nsubdevice.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: comedi: Se corrige la inicializaci\u00f3n de datos para instrucciones que escriben en el subdispositivo Se sabe que algunos controladores de instrucciones del subdispositivo Comedi acceden a elementos de datos de instrucci\u00f3n m\u00e1s all\u00e1 de los primeros elementos `insn-\u0026gt;n` en algunos casos. Las funciones `do_insn_ioctl()` y `do_insnlist_ioctl()` asignan al menos `MIN_SAMPLES` (16) elementos de datos para lidiar con esto, pero no inicializan todo eso. Para los c\u00f3digos de instrucci\u00f3n Comedi que escriben en el subdispositivo, los primeros elementos de datos `insn-\u0026gt;n` se copian del espacio de usuario, pero los elementos restantes se dejan sin inicializar. Eso podr\u00eda ser un problema si el controlador de instrucciones del subdispositivo lee los datos no inicializados. Aseg\u00farese de que los primeros elementos `MIN_SAMPLES` se inicialicen antes de llamar a estos controladores de instrucciones, llenando los elementos no copiados con 0. Para `do_insnlist_ioctl()`, se utilizan los mismos elementos del b\u00fafer de datos para manejar una lista de instrucciones, as\u00ed que aseg\u00farese de que los primeros elementos `MIN_SAMPLES` se inicialicen para cada instrucci\u00f3n que escriba en el subdispositivo.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/46d8c744136ce2454aa4c35c138cc06817f92b8e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/673ee92bd2d31055bca98a1d96b653f5284289c4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c42116dc70af6664526f7aa82cf937824ab42649\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d3436638738ace8f101af7bdee2eae1bc38e9b29\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fe8713fb4e4e82a4f91910d9a41bf0613e69a0b9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.