Linux Kernel SPI-NOR Shift-Out-Of-Bounds Vulnerability in Erase Type Handling

A shift-out-of-bounds vulnerability has been identified in the Linux kernel's SPI-NOR flash memory handling. This issue arises in the 'spi_nor_set_erase_type' function, where the function is used to mask out an erase type. The vulnerability, detected by Undefined Behavior Sanitizer (UBSAN), occurs because the shift exponent exceeds the limits of a 32-bit integer, leading to out-of-bounds memory access. The problem is exacerbated by incorrect handling of erase types when the erase size is zero, and the assumption that the opcode '0xFF' is unused. The vulnerability affects the Linux kernel's stable releases.

Impact

Exploitation of this vulnerability causes a shift-out-of-bounds error, which can lead to undefined behavior such as memory corruption.

Reproduction

The vulnerability can be reproduced by using the 'spi_nor_set_erase_type' function to mask out an erase type when the erase size is zero. This triggers a shift-out-of-bounds error, as the function attempts to use an invalid shift exponent.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed.