FKIE_CVE-2023-54295

Vulnerability from fkie_nvd - Published: 2025-12-30 13:16 - Updated: 2026-04-15 00:35
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type spi_nor_set_erase_type() was used either to set or to mask out an erase type. When we used it to mask out an erase type a shift-out-of-bounds was hit: UBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2237:24 shift exponent 4294967295 is too large for 32-bit type 'int' The setting of the size_{shift, mask} and of the opcode are unnecessary when the erase size is zero, as throughout the code just the erase size is considered to determine whether an erase type is supported or not. Setting the opcode to 0xFF was wrong too as nobody guarantees that 0xFF is an unused opcode. Thus when masking out an erase type, just set the erase size to zero. This will fix the shift-out-of-bounds. [ta: refine changes, new commit message, fix compilation error]
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/53b2916ebde741c657a857fa1936c0d9fcb59170
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/61d44a4db2f54dbac7d22c2541574ea5755e0468
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/99341b8aee7b5b4255b339345bbcaa35867dfd0c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e6409208c13f7c56adc12dd795abf4141e3d5e64
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f0f0cfdc3a024e21161714f2e05f0df3b84d42ad
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type\n\nspi_nor_set_erase_type() was used either to set or to mask out an erase\ntype. When we used it to mask out an erase type a shift-out-of-bounds\nwas hit:\nUBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2237:24\nshift exponent 4294967295 is too large for 32-bit type \u0027int\u0027\n\nThe setting of the size_{shift, mask} and of the opcode are unnecessary\nwhen the erase size is zero, as throughout the code just the erase size\nis considered to determine whether an erase type is supported or not.\nSetting the opcode to 0xFF was wrong too as nobody guarantees that 0xFF\nis an unused opcode. Thus when masking out an erase type, just set the\nerase size to zero. This will fix the shift-out-of-bounds.\n\n[ta: refine changes, new commit message, fix compilation error]"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nmtd: spi-nor: Soluci\u00f3n para el desbordamiento de desplazamiento en spi_nor_set_erase_type\n\nspi_nor_set_erase_type() se utilizaba ya sea para establecer o para enmascarar un tipo de borrado. Cuando lo utiliz\u00e1bamos para enmascarar un tipo de borrado, se produc\u00eda un desbordamiento de desplazamiento:\nUBSAN: desbordamiento de desplazamiento en drivers/mtd/spi-nor/core.c:2237:24\nel exponente de desplazamiento 4294967295 es demasiado grande para el tipo \u0027int\u0027 de 32 bits\n\nLa configuraci\u00f3n de size_{shift, mask} y del c\u00f3digo de operaci\u00f3n son innecesarias cuando el tama\u00f1o de borrado es cero, ya que a lo largo del c\u00f3digo solo se considera el tama\u00f1o de borrado para determinar si un tipo de borrado es compatible o no. Establecer el c\u00f3digo de operaci\u00f3n a 0xFF tambi\u00e9n era incorrecto, ya que nadie garantiza que 0xFF sea un c\u00f3digo de operaci\u00f3n no utilizado. Por lo tanto, al enmascarar un tipo de borrado, simplemente establezca el tama\u00f1o de borrado a cero. Esto solucionar\u00e1 el desbordamiento de desplazamiento.\n\n[ta: refinar cambios, nuevo mensaje de commit, corregir error de compilaci\u00f3n]"
    }
  ],
  "id": "CVE-2023-54295",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {},
  "published": "2025-12-30T13:16:18.593",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/53b2916ebde741c657a857fa1936c0d9fcb59170"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/61d44a4db2f54dbac7d22c2541574ea5755e0468"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/99341b8aee7b5b4255b339345bbcaa35867dfd0c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e6409208c13f7c56adc12dd795abf4141e3d5e64"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f0f0cfdc3a024e21161714f2e05f0df3b84d42ad"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Deferred"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.