A slab-out-of-bounds read bug in the Broadcom Full MAC Wi-Fi driver (e.g., brcmfmac.ko in the linux-modules-extra package in Ubuntu). The bug occurs in kmemdup() called from brcmf_get_assoc_ies(), when assoc_info->req_len, data from a URB provided by a USB device, is bigger than the size of buffer which is defined as WL_EXTRA_BUF_MAX. The driver duplicates the data of cfg->extra_buf to conn_info->req_ie as much as assoc_info->req_le, which could exceed the size of the buffer. The data passes through cfg80211_connect_done(), __cfg80211_connect_result(); in the end, it reaches nl80211_send_connect_result() that will form netlink messages with the data read outside the bounds of the buffer. This data, which may contain sensitive information in the kernel, could be sent to a userspace socket by __netlink_sendskb() during this multicasting process. Reference: https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.jang@yonsei.ac.kr/T/#u
The information you give is very relevant to me especially when I play https://tunnelrush.co/ it will help me to fully focus on speed.