CVE-2025-38229 Information

Description

In the Linux kernel the following vulnerability has been resolved:

media: cxusb: no longer judge rbuf when the write fails

syzbot reported a uninit-value in cxusb_i2c_xfer. [1]

Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw() succeeds and rlen is greater than 0 the read operation of usb_bulk_msg() will be executed to read rlen bytes of data from the dvb device into the rbuf.

In this case although rlen is 1 the write operation failed which resulted in the dvb read operation not being executed and ultimately variable i was not initialized.

[1] BUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] BUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 __i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1 i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315 i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343 i2c_master_send include/linux/i2c.h:109 [inline] i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183 do_loop_readv_writev fs/read_write.c:848 [inline] vfs_writev+0x963/0x14e0 fs/read_write.c:1057 do_writev+0x247/0x5c0 fs/read_write.c:1101 __do_sys_writev fs/read_write.c:1169 [inline] __se_sys_writev fs/read_write.c:1166 [inline] __x64_sys_writev+0x98/0xe0 fs/read_write.c:1166 x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reference

https://git.kernel.org/stable/c/04354c529c8246a38ae28f713fd6bfdc028113bc https://git.kernel.org/stable/c/390b864e3281802109dfe56e508396683e125653 https://git.kernel.org/stable/c/41807a5f67420464ac8ee7741504f6b5decb3b7c https://git.kernel.org/stable/c/73fb3b92da84637e3817580fa205d48065924e15 https://git.kernel.org/stable/c/84eca597baa346f09b30accdaeca10ced3eeba2d https://git.kernel.org/stable/c/8b35b50b7e98d8e9a0a27257c8424448afae10de https://git.kernel.org/stable/c/9bff888c92f5c25effbb876d22a793c2388c1ccc

Related CNNVD

CNNVD-202507-482 (Published: 2025-07-04)