CVE-2025-38480
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-28

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_read` and/or `insn_write` function handler pointers are set to point to the `insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`. For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the supplied `data[0]` value is a valid copy from user memory. It will at least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in "comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are allocated. However, if `insn->n` is 0 (which is allowable for `INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain uninitialized data, and certainly contains invalid data, possibly from a different instruction in the array of instructions handled by `do_insnlist_ioctl()`. This will result in an incorrect value being written to the digital output channel (or to the digital input/output channel if configured as an output), and may be reflected in the internal saved state of the channel. Fix it by returning 0 early if `insn->n` is 0, before reaching the code that accesses `data[0]`. Previously, the function always returned 1 on success, but it is supposed to be the number of data samples actually read or written up to `insn->n`, which is 0 in this case.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-28
Last Modified
2025-11-03
Generated
2026-05-07
AI Q&A
2025-07-28
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38480
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
comedi comedi *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is in the Linux kernel's Comedi subsystem, specifically in the function insn_rw_emulate_bits(). When handling certain digital input/output instructions (INSN_READ and INSN_WRITE) on digital subdevices, the function may use uninitialized data if the number of samples (insn->n) is zero. This can cause invalid or incorrect data to be written to digital output channels or internal state, because the function assumes data[0] is valid without checking if insn->n is zero. The fix is to return early if insn->n is zero to avoid using uninitialized data.


How can this vulnerability impact me? :

This vulnerability can cause incorrect values to be written to digital output channels or digital input/output channels configured as output. This means that the device's digital outputs may behave unpredictably or incorrectly, potentially leading to malfunction or incorrect operation of hardware relying on these outputs.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the comedi subsystem has been fixed to properly handle insn_rw_emulate_bits() by returning early when insn->n is 0, preventing use of uninitialized data. This typically means applying the latest kernel patches or upgrading to a kernel version released after 2025-07-28 that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart