Linux Kernel CH341 SPI Driver Out-of-Bounds Memory Access Vulnerability

A vulnerability has been identified in the Linux kernel CH341 SPI driver, specifically in the 'ch341_transfer_one' function. The issue arises from an out-of-bounds memory access caused by incorrect length calculations when copying data. The 'len' variable is derived from the 'trans->len' value, plus an additional byte for the command header. This calculation can lead to an out-of-bounds read from the transmission buffer or an out-of-bounds write to the CH341 buffer, particularly when the length is at its maximum value. Such overwrites can cause buffer overflows, potentially leading to arbitrary code execution or memory corruption.

Impact

Exploitation of this vulnerability causes out-of-bounds memory access, which can lead to buffer overflows. In this context, such buffer overflows could be exploited to execute arbitrary code or cause memory corruption.

Reproduction

The vulnerability can be reproduced by using the CH341A USB-to-SPI adapter with the Linux kernel SPI subsystem. When data is transferred over SPI, the 'ch341_transfer_one' function incorrectly calculates the length of the data to be sent, leading to an out-of-bounds memory access. This can be observed by monitoring the memory access patterns during a SPI data transfer operation.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit that addresses this issue is 545d1287e40a55242f6ab68bcc1ba3b74088b1bc.