CVE-2025-68773

Summary

In the Linux kernel, the following vulnerability has been resolved:

spi: fsl-cpm: Check length parity before switching to 16 bit mode

Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") failed to make sure that the size is really even before switching to 16 bit mode. Until recently the problem went unnoticed because kernfs uses a pre-allocated bounce buffer of size PAGE_SIZE for reading EEPROM.

But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API") introduced an additional dynamically allocated bounce buffer whose size is exactly the size of the transfer, leading to a buffer overrun in the fsl-cpm driver when that size is odd.

Add the missing length parity verification and remain in 8 bit mode when the length is not even.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux60afe299bb541a928ba39bcb4ae8d3e428d1c5a5 < c8f1d35076b78df61ace737e41cc1f4b7b63236caffected
LinuxLinux4badd33929c05ed314794b95f1af1308f7222be8 < 9c34a4a2ead00979d203a8c16bea87f0ef5291d8affected
LinuxLinux7f6738e003b364783f3019fdf6e7645bc8dd1643 < 837a23a11e0f734f096c7c7b0778d0e625e3dc87affected
LinuxLinuxfc96ec826bced75cc6b9c07a4ac44bbf651337ab < 3dd6d01384823e1bd8602873153d6fc4337ac4feaffected
LinuxLinuxfc96ec826bced75cc6b9c07a4ac44bbf651337ab < 743cebcbd1b2609ec5057ab474979cef73d1b681affected
LinuxLinuxfc96ec826bced75cc6b9c07a4ac44bbf651337ab < be0b613198e6bfa104ad520397cab82ad3ec1771affected
LinuxLinuxfc96ec826bced75cc6b9c07a4ac44bbf651337ab < 1417927df8049a0194933861e9b098669a95c762affected
LinuxLinux42c04316d9275ec267d36e5e9064cd56c9884148affected
LinuxLinuxdc120f2d35b030390a2bc0f94dd5f37e900cae91affected
LinuxLinuxb558275c1b040f0e5aa56c862241f9212b6118c3affected
LinuxLinuxb9d9e8856f1c83e4277403f9b4c369b322ebcb12affected
LinuxLinux36a6d0f66c874666caf4e8be155b1be30f6231beaffected
LinuxLinux5.10.181 < 5.10.248affected
LinuxLinux5.15.114 < 5.15.198affected
LinuxLinux6.1.29 < 6.1.160affected
LinuxLinux4.14.316 < 4.15affected
LinuxLinux4.19.284 < 4.20affected
LinuxLinux5.4.244 < 5.5affected
LinuxLinux6.2.16 < 6.3affected
LinuxLinux6.3.3 < 6.4affected
LinuxLinux6.4affected
LinuxLinux0 < 6.4unaffected
LinuxLinux5.10.248 <= 5.10.*unaffected
LinuxLinux5.15.198 <= 5.15.*unaffected
LinuxLinux6.1.160 <= 6.1.*unaffected
LinuxLinux6.6.120 <= 6.6.*unaffected
LinuxLinux6.12.64 <= 6.12.*unaffected
LinuxLinux6.18.3 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References