spi: ch341: fix out-of-bounds memory access in ch341_transfer_one - user/sven/linux.git

diff options

author	Tianchu Chen <flynnnchen@tencent.com>	2025-11-28 16:06:30 +0800
committer	Mark Brown <broonie@kernel.org>	2025-11-28 11:48:08 +0000
commit	545d1287e40a55242f6ab68bcc1ba3b74088b1bc (patch)
tree	682e4f65f77ff0b846ce5a022c38d30f07dfcfb1 /net/unix/af_unix.c
parent	d7ad87d47eaf82c4204a567f863cdf7eedb2d120 (diff)

spi: ch341: fix out-of-bounds memory access in ch341_transfer_one

Discovered by Atuin - Automated Vulnerability Discovery Engine. The 'len' variable is calculated as 'min(32, trans->len + 1)', which includes the 1-byte command header. When copying data from 'trans->tx_buf' to 'ch341->tx_buf + 1', using 'len' as the length is incorrect because: 1. It causes an out-of-bounds read from 'trans->tx_buf' (which has size 'trans->len', i.e., 'len - 1' in this context). 2. It can cause an out-of-bounds write to 'ch341->tx_buf' if 'len' is CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341->tx_buf + 1 overflows the buffer. Fix this by copying 'len - 1' bytes. Fixes: 8846739f52af ("spi: add ch341a usb2spi driver") Signed-off-by: Tianchu Chen <flynnnchen@tencent.com> Link: https://patch.msgid.link/20251128160630.0f922c45ec6084a46fb57099@linux.dev Signed-off-by: Mark Brown <broonie@kernel.org>

Diffstat (limited to 'net/unix/af_unix.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: