Public bug reported: The TPM SPI transfer mechanism uses MAX_SPI_FRAMESIZE for computing the maximum transfer length and the size of the transfer buffer. As such, it does not account for the 4 bytes of header that prepends the SPI data frame. This can result in out-of-bounds accesses and was confirmed with KASAN.
Introduce SPI_HDRSIZE to account for the header and use to allocate the transfer buffer. ** Affects: linux-nvidia (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067429 Title: Address out-of-bounds issue when using TPM SPI interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-nvidia/+bug/2067429/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs