In the Linux kernel, the following vulnerability has been resolved:
comedi: Fix initialization of data for instructions that write to subdevice
Some Comedi subdevice instruction handlers are known to access
instruction data elements beyond the first insn->n
elements in some
cases. The do_insn_ioctl()
and do_insnlist_ioctl()
functions
allocate at least MIN_SAMPLES
(16) data elements to deal with this,
but they do not initialize all of that. For Comedi instruction codes
that write to the subdevice, the first insn->n
data elements are
copied from user-space, but the remaining elements are left
uninitialized. That could be a problem if the subdevice instruction
handler reads the uninitialized data. Ensure that the first
MIN_SAMPLES
elements are initialized before calling these instruction
handlers, filling the uncopied elements with 0. For
do_insnlist_ioctl()
, the same data buffer elements are used for
handling a list of instructions, so ensure the first MIN_SAMPLES
elements are initialized for each instruction that writes to the
subdevice.