{"id":"CVE-2025-38480","summary":"comedi: Fix use of uninitialized data in insn_rw_emulate_bits()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized data in insn_rw_emulate_bits()\n\nFor Comedi `INSN_READ` and `INSN_WRITE` instructions on \"digital\"\nsubdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and\n`COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have\n`insn_read` and `insn_write` handler functions, but to have an\n`insn_bits` handler function for handling Comedi `INSN_BITS`\ninstructions.  In that case, the subdevice's `insn_read` and/or\n`insn_write` function handler pointers are set to point to the\n`insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`.\n\nFor `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the\nsupplied `data[0]` value is a valid copy from user memory.  It will at\nleast exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in\n\"comedi_fops.c\" ensure at lease `MIN_SAMPLES` (16) elements are\nallocated.  However, if `insn-\u003en` is 0 (which is allowable for\n`INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain\nuninitialized data, and certainly contains invalid data, possibly from a\ndifferent instruction in the array of instructions handled by\n`do_insnlist_ioctl()`.  This will result in an incorrect value being\nwritten to the digital output channel (or to the digital input/output\nchannel if configured as an output), and may be reflected in the\ninternal saved state of the channel.\n\nFix it by returning 0 early if `insn-\u003en` is 0, before reaching the code\nthat accesses `data[0]`.  Previously, the function always returned 1 on\nsuccess, but it is supposed to be the number of data samples actually\nread or written up to `insn-\u003en`, which is 0 in this case.","modified":"2026-04-16T04:31:58.494453525Z","published":"2025-07-28T11:21:45.142Z","related":["SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38480.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/10f9024a8c824a41827fff1fefefb314c98e2c88"},{"type":"WEB","url":"https://git.kernel.org/stable/c/16256d7efcf7acc9f39abe21522c4c6b77f67c00"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2af1e7d389c2619219171d23f5b96dbcbb7f9656"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3050d197d6bc9ef128944a70210f42d2430b3000"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4c2981bf30401adfcdbfece4ab6f411f7c5875a1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c53570e62b5b28bdb56bb563190227f8307817a5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e9cb26291d009243a4478a7ffb37b3a9175bfce9"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38480.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38480"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ed9eccbe8970f6eedc1b978c157caf1251a896d4"},{"fixed":"4c2981bf30401adfcdbfece4ab6f411f7c5875a1"},{"fixed":"16256d7efcf7acc9f39abe21522c4c6b77f67c00"},{"fixed":"c53570e62b5b28bdb56bb563190227f8307817a5"},{"fixed":"3050d197d6bc9ef128944a70210f42d2430b3000"},{"fixed":"10f9024a8c824a41827fff1fefefb314c98e2c88"},{"fixed":"2af1e7d389c2619219171d23f5b96dbcbb7f9656"},{"fixed":"3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870"},{"fixed":"e9cb26291d009243a4478a7ffb37b3a9175bfce9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38480.json"}}],"schema_version":"1.7.5"}