Linux Kernel SPI fsl-cpm Length Parity Vulnerability Leading to Buffer Overrun

A vulnerability in the Linux kernel's SPI fsl-cpm driver can cause a buffer overrun when transferring data from EEPROM. This issue arises because the driver improperly switches to 16-bit mode for large transfers without verifying that the transfer size is even. The problem was introduced by a recent change that added a dynamically allocated buffer sized for the transfer, which can lead to an overflow when the length is odd. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes a buffer overrun in the SPI fsl-cpm driver, which can lead to memory corruption or other unintended behavior.

Reproduction

The vulnerability can be reproduced by performing a large SPI transfer with an odd size while the fsl-cpm driver is active. The transfer will be incorrectly handled as 16 bits, causing a buffer overrun.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.