CVE-2025-68352

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: ch341: fix out-of-bounds memory access in ch341_transfer_one<br /> <br /> Discovered by Atuin - Automated Vulnerability Discovery Engine.<br /> <br /> The &amp;#39;len&amp;#39; variable is calculated as &amp;#39;min(32, trans-&gt;len + 1)&amp;#39;,<br /> which includes the 1-byte command header.<br /> <br /> When copying data from &amp;#39;trans-&gt;tx_buf&amp;#39; to &amp;#39;ch341-&gt;tx_buf + 1&amp;#39;, using &amp;#39;len&amp;#39;<br /> as the length is incorrect because:<br /> <br /> 1. It causes an out-of-bounds read from &amp;#39;trans-&gt;tx_buf&amp;#39; (which has size<br /> &amp;#39;trans-&gt;len&amp;#39;, i.e., &amp;#39;len - 1&amp;#39; in this context).<br /> 2. It can cause an out-of-bounds write to &amp;#39;ch341-&gt;tx_buf&amp;#39; if &amp;#39;len&amp;#39; is<br /> CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341-&gt;tx_buf + 1<br /> overflows the buffer.<br /> <br /> Fix this by copying &amp;#39;len - 1&amp;#39; bytes.