Linux Kernel SPMI Tracing Stack-Out-Of-Bounds Vulnerability

A stack-out-of-bounds vulnerability has been identified in the Linux kernel's SPMI tracing functions, specifically in 'trace_spmi_write_begin()' and 'trace_spmi_read_end()'. These functions improperly use 'memcpy()' with a length of 'len + 1', resulting in an out-of-bounds memory access by reading an extra byte beyond the intended buffer limit. This flaw has been logged by KASAN, indicating a stack memory corruption issue.

Impact

Exploitation of this vulnerability leads to a stack-out-of-bounds memory access, which can potentially be exploited to overwrite the stack and manipulate the control flow of the program, possibly leading to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by invoking the SPMI tracing functions 'trace_spmi_write_begin()' and 'trace_spmi_read_end()'. The KASAN log will show a stack-out-of-bounds access, indicating that the functions are reading beyond the allocated buffer size, which can be verified by the memory state around the accessed address.