oss-sec mailing list archives
A USB-accessible slab-out-of-bounds read in Linux kernel driver
From: Jisoo Jang <jisoo.jang () yonsei ac kr>
Date: Mon, 13 Mar 2023 20:10:33 +0900
=== Description === A slab-out-of-bounds read bug was found in the Broadcom Full MAC Wi-Fi driver (e.g., brcmfmac.ko in the linux-modules-extra package in Ubuntu), The bug occurs in kmemdup() called from brcmf_get_assoc_ies(), when assoc_info->req_len, data from a URB provided by a USB device, is bigger than the size of buffer which is defined as WL_EXTRA_BUF_MAX. The driver duplicates the data of cfg->extra_buf to conn_info->req_ie as much as assoc_info->req_le, which could exceed the size of the buffer. The data passes through cfg80211_connect_done(), __cfg80211_connect_result(); in the end, it reaches nl80211_send_connect_result() that will form netlink messages with the data read outside the bounds of the buffer. This data, which may contain sensitive information in the kernel, could be sent to a userspace socket by __netlink_sendskb() during this multicasting process. === Fix === A patch was reported to the linux wireless mailing list and successfully reviewed by the maintainer. ( https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.jang () yonsei ac kr/T/#u )
Current thread:
- A USB-accessible slab-out-of-bounds read in Linux kernel driver Jisoo Jang (Mar 13)
- Re: A USB-accessible slab-out-of-bounds read in Linux kernel driver Jisoo Jang (Mar 14)