Bug 2177883 (CVE-2023-1380) - CVE-2023-1380 Kernel: a USB-accessible slab-out-of-bounds read in brcmfmac
Summary: CVE-2023-1380 Kernel: a USB-accessible slab-out-of-bounds read in brcmfmac
Keywords:
Status: NEW
Alias: CVE-2023-1380
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2177884 2177885 2177886 2177887
Blocks: 2177868
TreeView+ depends on / blocked
 
Reported: 2023-03-13 18:36 UTC by Rohit Keshri
Modified: 2024-04-17 16:42 UTC (History)
47 users (show)

Fixed In Version: kernel 4.14.315, kernel 4.19.283, kernel 5.4.243, kernel 5.10.180, kernel 5.15.110, kernel 6.1.27, kernel 6.2.14
Doc Type: If docs needed, set a value
Doc Text:
A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Rohit Keshri 2023-03-13 18:36:26 UTC
A slab-out-of-bounds read bug in the Broadcom Full MAC Wi-Fi driver (e.g., brcmfmac.ko in the linux-modules-extra package in Ubuntu).

The bug occurs in kmemdup() called from brcmf_get_assoc_ies(), when assoc_info->req_len, data from a URB provided by a USB device, is bigger than the size of buffer which is defined as WL_EXTRA_BUF_MAX.
The driver duplicates the data of cfg->extra_buf to conn_info->req_ie as much as assoc_info->req_le, which could exceed the size of the buffer.
The data passes through cfg80211_connect_done(), __cfg80211_connect_result(); in the end, it reaches nl80211_send_connect_result() that will form netlink messages with the data read outside the bounds of the buffer.
This data, which may contain sensitive information in the kernel, could be sent to a userspace socket by __netlink_sendskb() during this multicasting process.

Reference:
https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.jang@yonsei.ac.kr/T/#u

Comment 5 kkooo 2023-03-28 06:25:11 UTC Comment hidden (spam)

Note You need to log in before you can comment on or make changes to this bug.