Linux Kernel IIO Chemical SPS30 I2C Buffer Size Vulnerability

A vulnerability exists in the Linux kernel's IIO chemical SPS30 I2C driver, specifically in the measurement reading function. The issue arises because the buffer size calculation incorrectly uses the size of 'num', which evaluates to 8 bytes on a 64-bit system, instead of the correct element size of 4 bytes for a __be32 type. This miscalculation can lead to buffer handling errors. The vulnerability affects the stable versions of the Linux kernel.

Impact

The vulnerability could cause buffer size miscalculations, potentially leading to incorrect data handling or buffer overflow issues.

Reproduction

The vulnerability can be reproduced by using the SPS30 I2C driver in the Linux kernel. The issue occurs when the driver reads measurements from the SPS30 sensor, as the buffer size calculation in the 'sps30_i2c_read_meas' function is flawed. This can be observed by monitoring the buffer handling during the measurement reading process, particularly on a 64-bit system where the size miscalculation occurs.

Remediation

The vulnerability has been addressed in the Linux kernel. Users can upgrade to the latest stable version to apply the fix.