In the Linux kernel, the following vulnerability has been resolved:
tpmtisspi: Account for SPI header when allocating TPM SPI xfer buffer
The TPM SPI transfer mechanism uses MAXSPIFRAMESIZE for computing the maximum transfer length and the size of the transfer buffer. As such, it does not account for the 4 bytes of header that prepends the SPI data frame. This can result in out-of-bounds accesses and was confirmed with KASAN.
Introduce SPI_HDRSIZE to account for the header and use to allocate the transfer buffer.