CVE-2022-49740
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/03/2025
Last modified:
28/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads<br />
<br />
This patch fixes slab-out-of-bounds reads in brcmfmac that occur in<br />
brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count<br />
value of channel specifications provided by the device is greater than<br />
the length of &#39;list->element[]&#39;, decided by the size of the &#39;list&#39;<br />
allocated with kzalloc(). The patch adds checks that make the functions<br />
free the buffer and return -EINVAL if that is the case. Note that the<br />
negative return is handled by the caller, brcmf_setup_wiphybands() or<br />
brcmf_cfg80211_attach().<br />
<br />
Found by a modified version of syzkaller.<br />
<br />
Crash Report from brcmf_construct_chaninfo():<br />
==================================================================<br />
BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430<br />
Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896<br />
<br />
CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014<br />
Workqueue: usb_hub_wq hub_event<br />
Call Trace:<br />
dump_stack_lvl+0x57/0x7d<br />
print_address_description.constprop.0.cold+0x93/0x334<br />
kasan_report.cold+0x83/0xdf<br />
brcmf_setup_wiphybands+0x1238/0x1430<br />
brcmf_cfg80211_attach+0x2118/0x3fd0<br />
brcmf_attach+0x389/0xd40<br />
brcmf_usb_probe+0x12de/0x1690<br />
usb_probe_interface+0x25f/0x710<br />
really_probe+0x1be/0xa90<br />
__driver_probe_device+0x2ab/0x460<br />
driver_probe_device+0x49/0x120<br />
__device_attach_driver+0x18a/0x250<br />
bus_for_each_drv+0x123/0x1a0<br />
__device_attach+0x207/0x330<br />
bus_probe_device+0x1a2/0x260<br />
device_add+0xa61/0x1ce0<br />
usb_set_configuration+0x984/0x1770<br />
usb_generic_driver_probe+0x69/0x90<br />
usb_probe_device+0x9c/0x220<br />
really_probe+0x1be/0xa90<br />
__driver_probe_device+0x2ab/0x460<br />
driver_probe_device+0x49/0x120<br />
__device_attach_driver+0x18a/0x250<br />
bus_for_each_drv+0x123/0x1a0<br />
__device_attach+0x207/0x330<br />
bus_probe_device+0x1a2/0x260<br />
device_add+0xa61/0x1ce0<br />
usb_new_device.cold+0x463/0xf66<br />
hub_event+0x10d5/0x3330<br />
process_one_work+0x873/0x13e0<br />
worker_thread+0x8b/0xd10<br />
kthread+0x379/0x450<br />
ret_from_fork+0x1f/0x30<br />
<br />
Allocated by task 1896:<br />
kasan_save_stack+0x1b/0x40<br />
__kasan_kmalloc+0x7c/0x90<br />
kmem_cache_alloc_trace+0x19e/0x330<br />
brcmf_setup_wiphybands+0x290/0x1430<br />
brcmf_cfg80211_attach+0x2118/0x3fd0<br />
brcmf_attach+0x389/0xd40<br />
brcmf_usb_probe+0x12de/0x1690<br />
usb_probe_interface+0x25f/0x710<br />
really_probe+0x1be/0xa90<br />
__driver_probe_device+0x2ab/0x460<br />
driver_probe_device+0x49/0x120<br />
__device_attach_driver+0x18a/0x250<br />
bus_for_each_drv+0x123/0x1a0<br />
__device_attach+0x207/0x330<br />
bus_probe_device+0x1a2/0x260<br />
device_add+0xa61/0x1ce0<br />
usb_set_configuration+0x984/0x1770<br />
usb_generic_driver_probe+0x69/0x90<br />
usb_probe_device+0x9c/0x220<br />
really_probe+0x1be/0xa90<br />
__driver_probe_device+0x2ab/0x460<br />
driver_probe_device+0x49/0x120<br />
__device_attach_driver+0x18a/0x250<br />
bus_for_each_drv+0x123/0x1a0<br />
__device_attach+0x207/0x330<br />
bus_probe_device+0x1a2/0x260<br />
device_add+0xa61/0x1ce0<br />
usb_new_device.cold+0x463/0xf66<br />
hub_event+0x10d5/0x3330<br />
process_one_work+0x873/0x13e0<br />
worker_thread+0x8b/0xd10<br />
kthread+0x379/0x450<br />
ret_from_fork+0x1f/0x30<br />
<br />
The buggy address belongs to the object at ffff888115f24000<br />
which belongs to the cache kmalloc-2k of size 2048<br />
The buggy address is located 1536 bytes inside of<br />
2048-byte region [ffff888115f24000, ffff888115f24800)<br />
<br />
Memory state around the buggy address:<br />
ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
>ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br />
^<br />
ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br />
ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br />
==================================================================<br />
<br />
Crash Report from brcmf_enable_bw40_2g():<br />
==========<br />
---truncated---
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/4920ab131b2dbae7464b72bdcac465d070254209
- https://git.kernel.org/stable/c/9cf5e99c1ae1a85286a76c9a970202750538394c
- https://git.kernel.org/stable/c/b2e412879595821ff1b5545cbed5f108fba7f5b6
- https://git.kernel.org/stable/c/e4991910f15013db72f6ec0db7038ea67a57052e
- https://git.kernel.org/stable/c/f06de1bb6d61f0c18b0213bbc6298960037f9d42