CVE-2025-39686

Published: September 6, 2025Last modified: September 6, 2025

Description

In the Linux kernel, the following vulnerability has been resolved: comedi: Make insn_rw_emulate_bits() do insn->n samples The `insn_rw_emulate_bits()` function is used as a default handler for `INSN_READ` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default handler for `INSN_WRITE` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the `INSN_READ` or `INSN_WRITE` instruction handling with a constructed `INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE` instructions are supposed to be able read or write multiple samples, indicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently only handles a single sample. For `INSN_READ`, the comedi core will copy `insn->n` samples back to user-space. (That triggered KASAN kernel-infoleak errors when `insn->n` was greater than 1, but that is being fixed more generally elsewhere in the comedi core.) Make `insn_rw_emulate_bits()` either handle `insn->n` samples, or return an error, to conform to the general expectation for `INSN_READ` and `INSN_WRITE` handlers.

Status

References

• https://git.kernel.org/stable/c/7afba9221f70d4cbce0f417c558879cba0eb5e66
• https://git.kernel.org/stable/c/842f307a1d115b24f2bcb2415c4e344f11f55930
• https://git.kernel.org/stable/c/92352ed2f9ac422181e381c2430c2d0dfb46faa0
• https://git.kernel.org/stable/c/ab77e85bd3bc006ef40738f26f446a660813da44
• https://git.kernel.org/stable/c/ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b
• https://git.kernel.org/stable/c/dc0a2f142d655700db43de90cb6abf141b73d908
• https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html