In the Linux kernel, the following vulnerability has been resolved:
comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
syzbot reports a KMSAN kernel-infoleak in do_insn_ioctl(). A kernel
buffer is allocated to hold insn->n samples (each of which is an
unsigned int). For some instruction types, insn->n samples are
copied back to user-space, unless an error code is being returned. The
problem is that not all the instruction handlers that need to return
data to userspace fill in the whole insn->n samples, so that there is
an information leak. There is a similar syzbot report for
do_insnlist_ioctl(), although it does not have a reproducer for it at
the time of writing.
One culprit is insn_rw_emulate_bits() which is used as the handler for
INSN_READ or INSN_WRITE instructions for subdevices that do not have
a specific handler for that instruction, but do have an INSN_BITS
handler. For INSN_READ it only fills in at most 1 sample, so if
insn->n is greater than 1, the remaining insn->n - 1 samples copied
to userspace will be uninitialized kernel data.
Another culprit is vm80xx_ai_insn_read() in the vm80xx driver. It
never returns an error, even if it fails to fill the buffer.
Fix it in do_insn_ioctl() and do_insnlist_ioctl() by making sure
that uninitialized parts of the allocated buffer are zeroed before
handling each instruction.
Thanks to Arnaud Lecomte for their fix to do_insn_ioctl(). That fix
replaced the call to kmalloc_array() with kcalloc(), but it is not
always necessary to clear the whole buffer.