Acknowledged
Created: Sep 7, 2025
Updated: Sep 8, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]comedi: Make insn_rw_emulate_bits() do insn->n samples[EOL][EOL]The `insn_rw_emulate_bits()` function is used as a default handler for[EOL]`INSN_READ` instructions for subdevices that have a handler for[EOL]`INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default[EOL]handler for `INSN_WRITE` instructions for subdevices that have a handler[EOL]for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the[EOL]`INSN_READ` or `INSN_WRITE` instruction handling with a constructed[EOL]`INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE`[EOL]instructions are supposed to be able read or write multiple samples,[EOL]indicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently[EOL]only handles a single sample. For `INSN_READ`, the comedi core will[EOL]copy `insn->n` samples back to user-space. (That triggered KASAN[EOL]kernel-infoleak errors when `insn->n` was greater than 1, but that is[EOL]being fixed more generally elsewhere in the comedi core.)[EOL][EOL]Make `insn_rw_emulate_bits()` either handle `insn->n` samples, or return[EOL]an error, to conform to the general expectation for `INSN_READ` and[EOL]`INSN_WRITE` handlers.
CREATE(Triage):(User=admin) [CVE-2025-39686 (https://nvd.nist.gov/vuln/detail/CVE-2025-39686)
