Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()[EOL][EOL]syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`.  A kernel[EOL]buffer is allocated to hold `insn->n` samples (each of which is an[EOL]`unsigned int`).  For some instruction types, `insn->n` samples are[EOL]copied back to user-space, unless an error code is being returned.  The[EOL]problem is that not all the instruction handlers that need to return[EOL]data to userspace fill in the whole `insn->n` samples, so that there is[EOL]an information leak.  There is a similar syzbot report for[EOL]`do_insnlist_ioctl()`, although it does not have a reproducer for it at[EOL]the time of writing.[EOL][EOL]One culprit is `insn_rw_emulate_bits()` which is used as the handler for[EOL]`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have[EOL]a specific handler for that instruction, but do have an `INSN_BITS`[EOL]handler.  For `INSN_READ` it only fills in at most 1 sample, so if[EOL]`insn->n` is greater than 1, the remaining `insn->n - 1` samples copied[EOL]to userspace will be uninitialized kernel data.[EOL][EOL]Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver.  It[EOL]never returns an error, even if it fails to fill the buffer.[EOL][EOL]Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure[EOL]that uninitialized parts of the allocated buffer are zeroed before[EOL]handling each instruction.[EOL][EOL]Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`.  That fix[EOL]replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not[EOL]always necessary to clear the whole buffer.

CREATE(Triage):(User=admin) [CVE-2025-39684 (https://nvd.nist.gov/vuln/detail/CVE-2025-39684)