Google Git
Sign in
kernel / pub / scm / linux / kernel / git / gregkh / driver-core.git / 545d1287e40a55242f6ab68bcc1ba3b74088b1bc
commit545d1287e40a55242f6ab68bcc1ba3b74088b1bc[log] [tgz]
authorTianchu Chen <flynnnchen@tencent.com>Fri Nov 28 16:06:30 2025 +0800
committerMark Brown <broonie@kernel.org>Fri Nov 28 11:48:08 2025 +0000
tree682e4f65f77ff0b846ce5a022c38d30f07dfcfb1
parentd7ad87d47eaf82c4204a567f863cdf7eedb2d120 [diff]
spi: ch341: fix out-of-bounds memory access in ch341_transfer_one

Discovered by Atuin - Automated Vulnerability Discovery Engine.

The 'len' variable is calculated as 'min(32, trans->len + 1)',
which includes the 1-byte command header.

When copying data from 'trans->tx_buf' to 'ch341->tx_buf + 1', using 'len'
as the length is incorrect because:

1. It causes an out-of-bounds read from 'trans->tx_buf' (which has size
   'trans->len', i.e., 'len - 1' in this context).
2. It can cause an out-of-bounds write to 'ch341->tx_buf' if 'len' is
   CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341->tx_buf + 1
   overflows the buffer.

Fix this by copying 'len - 1' bytes.

Fixes: 8846739f52af ("spi: add ch341a usb2spi driver")
Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
Link: https://patch.msgid.link/20251128160630.0f922c45ec6084a46fb57099@linux.dev
Signed-off-by: Mark Brown <broonie@kernel.org>
1 file changed
tree: 682e4f65f77ff0b846ce5a022c38d30f07dfcfb1
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. include/
  9. init/
  10. io_uring/
  11. ipc/
  12. kernel/
  13. lib/
  14. LICENSES/
  15. mm/
  16. net/
  17. rust/
  18. samples/
  19. scripts/
  20. security/
  21. sound/
  22. tools/
  23. usr/
  24. virt/
  25. .clang-format
  26. .clippy.toml
  27. .cocciconfig
  28. .editorconfig
  29. .get_maintainer.ignore
  30. .gitattributes
  31. .gitignore
  32. .mailmap
  33. .pylintrc
  34. .rustfmt.toml
  35. COPYING
  36. CREDITS
  37. Kbuild
  38. Kconfig
  39. MAINTAINERS
  40. Makefile
  41. README