In the Linux kernel, the following vulnerability has been resolved:
spi: nxp-fspi: fix the KASAN report out-of-bounds bug
Change the memcpy length to fix the out-of-bounds issue when writing the data that is not 4 byte aligned to TX FIFO.
To reproduce the issue, write 3 bytes data to NOR chip.
dd if=3b of=/dev/mtd0 [ 36.926103] ================================================================== [ 36.933409] BUG: KASAN: slab-out-of-bounds in nxpfspiexecop+0x26ec/0x2838 [ 36.940514] Read of size 4 at addr ffff00081037c2a0 by task dd/455 [ 36.946721] [ 36.948235] CPU: 3 UID: 0 PID: 455 Comm: dd Not tainted 6.11.0-rc5-gc7b0e37c8434 #1070 [ 36.956185] Hardware name: Freescale i.MX8QM MEK (DT) [ 36.961260] Call trace: [ 36.963723] dumpbacktrace+0x90/0xe8 [ 36.967414] showstack+0x18/0x24 [ 36.970749] dumpstacklvl+0x78/0x90 [ 36.974451] printreport+0x114/0x5cc [ 36.978151] kasanreport+0xa4/0xf0 [ 36.981670] _asanreportloadnnoabort+0x1c/0x28 [ 36.986587] nxpfspiexecop+0x26ec/0x2838 [ 36.990800] spimemexecop+0x8ec/0xd30 [ 36.994762] spimemnodirmapread+0x190/0x1e0 [ 36.999323] spimemdirmapwrite+0x238/0x32c [ 37.003710] spinorwritedata+0x220/0x374 [ 37.007932] spinorwrite+0x110/0x2e8 [ 37.011711] mtdwriteoobstd+0x154/0x1f0 [ 37.015838] mtdwriteoob+0x104/0x1d0 [ 37.019617] mtdwrite+0xb8/0x12c [ 37.022953] mtdcharwrite+0x224/0x47c [ 37.026732] vfswrite+0x1e4/0x8c8 [ 37.030163] ksyswrite+0xec/0x1d0 [ 37.033586] _arm64syswrite+0x6c/0x9c [ 37.037539] invokesyscall+0x6c/0x258 [ 37.041327] el0svccommon.constprop.0+0x160/0x22c [ 37.046244] doel0svc+0x44/0x5c [ 37.049589] el0svc+0x38/0x78 [ 37.052681] el0t64synchandler+0x13c/0x158 [ 37.057077] el0t64sync+0x190/0x194 [ 37.060775] [ 37.062274] Allocated by task 455: [ 37.065701] kasansavestack+0x2c/0x54 [ 37.069570] kasansavetrack+0x20/0x3c [ 37.073438] kasansaveallocinfo+0x40/0x54 [ 37.077736] _kasankmalloc+0xa0/0xb8 [ 37.081515] _kmallocnoprof+0x158/0x2f8 [ 37.085563] mtdkmallocupto+0x120/0x154 [ 37.089690] mtdcharwrite+0x130/0x47c [ 37.093469] vfswrite+0x1e4/0x8c8 [ 37.096901] ksyswrite+0xec/0x1d0 [ 37.100332] _arm64syswrite+0x6c/0x9c [ 37.104287] invokesyscall+0x6c/0x258 [ 37.108064] el0svccommon.constprop.0+0x160/0x22c [ 37.112972] doel0svc+0x44/0x5c [ 37.116319] el0svc+0x38/0x78 [ 37.119401] el0t64synchandler+0x13c/0x158 [ 37.123788] el0t64sync+0x190/0x194 [ 37.127474] [ 37.128977] The buggy address belongs to the object at ffff00081037c2a0 [ 37.128977] which belongs to the cache kmalloc-8 of size 8 [ 37.141177] The buggy address is located 0 bytes inside of [ 37.141177] allocated 3-byte region [ffff00081037c2a0, ffff00081037c2a3) [ 37.153465] [ 37.154971] The buggy address belongs to the physical page: [ 37.160559] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89037c [ 37.168596] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.175149] page_type: 0xfdffffff(slab) [ 37.179021] raw: 0bfffe0000000000 ffff000800002500 dead000000000122 0000000000000000 [ 37.186788] raw: 0000000000000000 0000000080800080 00000001fdffffff 0000000000000000 [ 37.194553] page dumped because: kasan: bad access detected [ 37.200144] [ 37.201647] Memory state around the buggy address: [ 37.206460] ffff00081037c180: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc [ 37.213701] ffff00081037c200: fa fc fc fc 05 fc fc fc 03 fc fc fc 02 fc fc fc [ 37.220946] >ffff00081037c280: 06 fc fc fc 03 fc fc fc fc fc fc fc fc fc fc fc [ 37.228186] ^ [ 37.232473] ffff00081037c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.239718] ffff00081037c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.246962] ============================================================== ---truncated---