Vulnerability Database

In the Linux kernel, the following vulnerability has been resolved:

comedi: Fix initialization of data for instructions that write to subdevice

Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first insn->n elements in some cases. The do_insn_ioctl() and do_insnlist_ioctl() functions allocate at least MIN_SAMPLES (16) data elements to deal with this, but they do not initialize all of that. For Comedi instruction codes that write to the subdevice, the first insn->n data elements are copied from user-space, but the remaining elements are left uninitialized. That could be a problem if the subdevice instruction handler reads the uninitialized data. Ensure that the first MIN_SAMPLES elements are initialized before calling these instruction handlers, filling the uncopied elements with 0. For do_insnlist_ioctl(), the same data buffer elements are used for handling a list of instructions, so ensure the first MIN_SAMPLES elements are initialized for each instruction that writes to the subdevice.