[PATCH] comedi: zero-init data in do_insn_ioctl

From: Arnaud Lecomte
Date: Thu Jul 24 2025 - 17:05:38 EST

Next message: Laurent Pinchart: "Re: [RFC PATCH] docs: submitting-patches: (AI?) Tool disclosure tag"
Previous message: Salomon Dushimirimana: "Re: [PATCH] scsi: sd: fix sd shutdown to issue START STOP UNIT command appropriately"
Next in thread: Ian Abbott: "Re: [PATCH] comedi: zero-init data in do_insn_ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

KMSAN reported a kernel-infoleak when copying instruction data back to
userspace in do_insnlist_ioctl(). The issue occurs because allocated
memory buffers weren't properly initialized (not
zero initialized) before being copied to
userspace, potentially leaking kernel memory.

Reported-by: syzbot+a5e45f768aab5892da5d@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=a5e45f768aab5892da5d
Tested-by: syzbot+a5e45f768aab5892da5d@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Arnaud Lecomte <contact@xxxxxxxxxxxxxx>
---
drivers/comedi/comedi_fops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
index c83fd14dd7ad..15fee829d14c 100644
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1636,7 +1636,7 @@ static int do_insn_ioctl(struct comedi_device *dev,
n_data = MAX_SAMPLES;
}

- data = kmalloc_array(n_data, sizeof(unsigned int), GFP_KERNEL);
+ data = kcalloc(n_data, sizeof(unsigned int), GFP_KERNEL);
if (!data) {
ret = -ENOMEM;
goto error;
--
2.43.0

Next message: Laurent Pinchart: "Re: [RFC PATCH] docs: submitting-patches: (AI?) Tool disclosure tag"
Previous message: Salomon Dushimirimana: "Re: [PATCH] scsi: sd: fix sd shutdown to issue START STOP UNIT command appropriately"
Next in thread: Ian Abbott: "Re: [PATCH] comedi: zero-init data in do_insn_ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]