Bug 2177883 (CVE-2023-1380)

Summary: CVE-2023-1380 Kernel: a USB-accessible slab-out-of-bounds read in brcmfmac
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, fhrbata, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, ldoskova, lgoncalv, lzampier, nmurray, ptalbert, qzhao, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, stefficosenza0864, steve.beattie, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 4.14.315, kernel 4.19.283, kernel 5.4.243, kernel 5.10.180, kernel 5.15.110, kernel 6.1.27, kernel 6.2.14 Doc Type: If docs needed, set a value
Doc Text:
A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2177884, 2177885, 2177886, 2177887    
Bug Blocks: 2177868    

Description Rohit Keshri 2023-03-13 18:36:26 UTC 
A slab-out-of-bounds read bug in the Broadcom Full MAC Wi-Fi driver (e.g., brcmfmac.ko in the linux-modules-extra package in Ubuntu).

The bug occurs in kmemdup() called from brcmf_get_assoc_ies(), when assoc_info->req_len, data from a URB provided by a USB device, is bigger than the size of buffer which is defined as WL_EXTRA_BUF_MAX.
The driver duplicates the data of cfg->extra_buf to conn_info->req_ie as much as assoc_info->req_le, which could exceed the size of the buffer.
The data passes through cfg80211_connect_done(), __cfg80211_connect_result(); in the end, it reaches nl80211_send_connect_result() that will form netlink messages with the data read outside the bounds of the buffer.
This data, which may contain sensitive information in the kernel, could be sent to a userspace socket by __netlink_sendskb() during this multicasting process.

Reference:
https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.jang@yonsei.ac.kr/T/#u
Comment 5 kkooo 2023-03-28 06:25:11 UTC Comment hidden (spam)