In the Linux kernel, the following vulnerability has been resolved:
coresight: tmc-etf: Fix global-out-of-bounds in tmcupdateetf_buffer()
commit 6f755e85c332 ("coresight: Add helper for inserting synchronization packets") removed trailing '\0' from barrierpkt array and updated the call sites like etbupdatebuffer() to have proper checks for barrierpkt size before read but missed updating tmcupdateetfbuffer() which still reads barrierpkt past the array size resulting in KASAN out-of-bounds bug. Fix this by adding a check for barrierpkt size before accessing like it is done in etbupdate_buffer().
BUG: KASAN: global-out-of-bounds in tmcupdateetf_buffer+0x4b8/0x698 Read of size 4 at addr ffffffd05b7d1030 by task perf/2629
Call trace: dumpbacktrace+0x0/0x27c showstack+0x20/0x2c dumpstack+0x11c/0x188 printaddressdescription+0x3c/0x4a4 _kasanreport+0x140/0x164 kasanreport+0x10/0x18 _asanreportload4noabort+0x1c/0x24 tmcupdateetfbuffer+0x4b8/0x698 etmeventstop+0x248/0x2d8 etmeventdel+0x20/0x2c eventschedout+0x214/0x6f0 groupschedout+0xd0/0x270 ctxschedout+0x2ec/0x518 _perfeventtaskschedout+0x4fc/0xe6c _schedule+0x1094/0x16a0 preemptscheduleirq+0x88/0x170 arm64preemptscheduleirq+0xf0/0x18c el1irq+0xe8/0x180 perfeventexec+0x4d8/0x56c setupnewexec+0x204/0x400 loadelfbinary+0x72c/0x18c0 searchbinaryhandler+0x13c/0x420 loadscript+0x500/0x6c4 searchbinaryhandler+0x13c/0x420 execbinprm+0x118/0x654 _doexecvefile+0x77c/0xba4 _arm64compatsysexecve+0x98/0xac el0svccommon+0x1f8/0x5e0 el0svccompathandler+0x84/0xb0 el0svc_compat+0x10/0x50
The buggy address belongs to the variable: barrier_pkt+0x10/0x40
Memory state around the buggy address: ffffffd05b7d0f00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 ffffffd05b7d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffd05b7d1000: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 03 ^ ffffffd05b7d1080: fa fa fa fa 00 02 fa fa fa fa fa fa 03 fa fa fa ffffffd05b7d1100: fa fa fa fa 00 00 00 00 05 fa fa fa fa fa fa fa ==================================================================