ghsa-jx84-vrfm-c347
Vulnerability from github
Published
2025-09-05 18:31
Modified
2025-09-05 18:31
Details

In the Linux kernel, the following vulnerability has been resolved:

comedi: pcl726: Prevent invalid irq number

The reproducer passed in an irq number(0x80008000) that was too large, which triggered the oob.

Added an interrupt number check to prevent users from passing in an irq number that was too large.

If it->options[1] is 31, then 1 << it->options[1] is still invalid because it shifts a 1-bit into the sign bit (which is UB in C). Possible solutions include reducing the upper bound on the it->options[1] value to 30 or lower, or using 1U << it->options[1].

The old code would just not attempt to request the IRQ if the options[1] value were invalid. And it would still configure the device without interrupts even if the call to request_irq returned an error. So it would be better to combine this test with the test below.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39685"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-05T18:15:45Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl726: Prevent invalid irq number\n\nThe reproducer passed in an irq number(0x80008000) that was too large,\nwhich triggered the oob.\n\nAdded an interrupt number check to prevent users from passing in an irq\nnumber that was too large.\n\nIf `it-\u003eoptions[1]` is 31, then `1 \u003c\u003c it-\u003eoptions[1]` is still invalid\nbecause it shifts a 1-bit into the sign bit (which is UB in C).\nPossible solutions include reducing the upper bound on the\n`it-\u003eoptions[1]` value to 30 or lower, or using `1U \u003c\u003c it-\u003eoptions[1]`.\n\nThe old code would just not attempt to request the IRQ if the\n`options[1]` value were invalid.  And it would still configure the\ndevice without interrupts even if the call to `request_irq` returned an\nerror.  So it would be better to combine this test with the test below.",
  "id": "GHSA-jx84-vrfm-c347",
  "modified": "2025-09-05T18:31:26Z",
  "published": "2025-09-05T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39685"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0eb4ed2aa261dee228f1668dbfa6d87353e8162d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5a33d07c94ba91306093e823112a7aa9727549f6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/96cb948408b3adb69df7e451ba7da9d21f814d00"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a3cfcd0c78c80ca7cd80372dc28f77d01be57bf6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bab220b0bb5af652007e278e8e8357f952b0e1ea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d8992c9a01f81128f36acb7c5755530e21fcd059"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.