In the Linux kernel, the following vulnerability has been resolved:
comedi: Make insn_rw_emulate_bits() do insn->n samples
The insn_rw_emulate_bits() function is used as a default handler for
INSN_READ instructions for subdevices that have a handler for
INSN_BITS but not for INSN_READ. Similarly, it is used as a default
handler for INSN_WRITE instructions for subdevices that have a handler
for INSN_BITS but not for INSN_WRITE. It works by emulating the
INSN_READ or INSN_WRITE instruction handling with a constructed
INSN_BITS instruction. However, INSN_READ and INSN_WRITE
instructions are supposed to be able read or write multiple samples,
indicated by the insn->n value, but insn_rw_emulate_bits() currently
only handles a single sample. For INSN_READ, the comedi core will
copy insn->n samples back to user-space. (That triggered KASAN
kernel-infoleak errors when insn->n was greater than 1, but that is
being fixed more generally elsewhere in the comedi core.)
Make insn_rw_emulate_bits() either handle insn->n samples, or return
an error, to conform to the general expectation for INSN_READ and
INSN_WRITE handlers.