In the Linux kernel, the following vulnerability has been resolved:

spmi: trace: fix stack-out-of-bound access in SPMI tracing functions

tracespmiwritebegin() and tracespmireadend() both call memcpy() with a length of "len + 1". This leads to one extra byte being read beyond the end of the specified buffer. Fix this out-of-bound memory access by using a length of "len" instead.

Here is a KASAN log showing the issue:

BUG: KASAN: stack-out-of-bounds in traceeventraweventspmireadend+0x1d0/0x234 Read of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314 ... Call trace: dumpbacktrace+0x0/0x3e8 showstack+0x2c/0x3c dumpstacklvl+0xdc/0x11c printaddressdescription+0x74/0x384 kasanreport+0x188/0x268 kasancheckrange+0x270/0x2b0 memcpy+0x90/0xe8 traceeventraweventspmireadend+0x1d0/0x234 spmireadcmd+0x294/0x3ac spmiextregisterreadl+0x84/0x9c regmapspmiextread+0x144/0x1b0 [regmapspmi] regmaprawread+0x40c/0x754 regmaprawread+0x3a0/0x514 regmapbulkread+0x418/0x494 adc5gen3pollwaiths+0xe8/0x1e0 [qcomspmiadc5gen3] ... _arm64sysread+0x4c/0x60 invokesyscall+0x80/0x218 el0svccommon+0xec/0x1c8 ...

addr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame: adc5gen3pollwaiths+0x0/0x1e0 [qcomspmiadc5_gen3]

this frame has 1 object: [32, 33) 'status'

Memory state around the buggy address: ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00

ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00 ^ ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00