A USB-accessible slab-out-of-bounds read in Linux kernel driver

[Jisoo Jang <jisoo.jang () yonsei ac kr>]

=== Description ===

A slab-out-of-bounds read bug was found in the Broadcom Full MAC Wi-Fi
driver (e.g., brcmfmac.ko in the linux-modules-extra package in Ubuntu),

The bug occurs in kmemdup() called from brcmf_get_assoc_ies(), when
assoc_info->req_len, data from a URB provided by a USB device, is bigger
than the size of buffer which is defined as WL_EXTRA_BUF_MAX.

The driver duplicates the data of cfg->extra_buf to conn_info->req_ie as
much as assoc_info->req_le, which could exceed the size of the buffer.

The data passes through cfg80211_connect_done(),
__cfg80211_connect_result(); in the end, it reaches
nl80211_send_connect_result() that will form netlink messages with the data
read outside the bounds of the buffer.

This data, which may contain sensitive information in the kernel, could be
sent to a userspace socket by __netlink_sendskb() during this multicasting
process.

=== Fix ===

A patch was reported to the linux wireless mailing list and successfully
reviewed by the maintainer.

(
https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.jang () yonsei ac kr/T/#u
)