In the Linux kernel, the following vulnerability has been resolved:
mei: vsc: Fix fortify-panic caused by invalid counted_by() use
gcc 15 honors the _countedby(len) attribute on vsctppacket.buf[] and the vsc-tp.c code is using this in a wrong way. len does not contain the available size in the buffer, it contains the actual packet length without the crc. So as soon as vsctpxfer() tries to add the crc to buf[] the fortify-panic handler gets triggered:
[ 80.842193] memcpy: detected buffer overflow: 4 byte write of buffer size 0 [ 80.842243] WARNING: CPU: 4 PID: 272 at lib/stringhelpers.c:1032 _fortifyreport+0x45/0x50 ... [ 80.843175] _fortifypanic+0x9/0xb [ 80.843186] vsctpxfer.cold+0x67/0x67 [meivschw] [ 80.843210] ? seqcountlockdepreaderaccess.constprop.0+0x82/0x90 [ 80.843229] ? lockdephardirqson+0x7c/0x110 [ 80.843250] meivschwstart+0x98/0x120 [meivsc] [ 80.843270] mei_reset+0x11d/0x420 [mei]
The easiest fix would be to just drop the counted-by but with the exception of the ack buffer in vsctpxferhelper() which only contains enough room for the packet-header, all other uses of vsctppacket always use a buffer of VSCTPMAXXFER_SIZE bytes for the packet.
Instead of just dropping the counted-by, split the vsctppacket struct definition into a header and a full-packet definition and use a fixed size buf[] in the packet definition, this way fortify-source buffer overrun checking still works when enabled.