CVE-2022-50258

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()<br /> <br /> This patch fixes a stack-out-of-bounds read in brcmfmac that occurs<br /> when &amp;#39;buf&amp;#39; that is not null-terminated is passed as an argument of<br /> strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware<br /> version string by memcpy() in brcmf_fil_iovar_data_get().<br /> The patch ensures buf is null-terminated.<br /> <br /> Found by a modified version of syzkaller.<br /> <br /> [ 47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3<br /> [ 47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available<br /> [ 47.601565][ T1897] ==================================================================<br /> [ 47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0<br /> [ 47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897<br /> [ 47.604336][ T1897]<br /> [ 47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G O 5.14.0+ #131<br /> [ 47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014<br /> [ 47.606907][ T1897] Workqueue: usb_hub_wq hub_event<br /> [ 47.607453][ T1897] Call Trace:<br /> [ 47.607801][ T1897] dump_stack_lvl+0x8e/0xd1<br /> [ 47.608295][ T1897] print_address_description.constprop.0.cold+0xf/0x334<br /> [ 47.609009][ T1897] ? strsep+0x1b2/0x1f0<br /> [ 47.609434][ T1897] ? strsep+0x1b2/0x1f0<br /> [ 47.609863][ T1897] kasan_report.cold+0x83/0xdf<br /> [ 47.610366][ T1897] ? strsep+0x1b2/0x1f0<br /> [ 47.610882][ T1897] strsep+0x1b2/0x1f0<br /> [ 47.611300][ T1897] ? brcmf_fil_iovar_data_get+0x3a/0xf0<br /> [ 47.611883][ T1897] brcmf_c_preinit_dcmds+0x995/0xc40<br /> [ 47.612434][ T1897] ? brcmf_c_set_joinpref_default+0x100/0x100<br /> [ 47.613078][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0<br /> [ 47.613662][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0<br /> [ 47.614208][ T1897] ? lock_acquire+0x19d/0x4e0<br /> [ 47.614704][ T1897] ? find_held_lock+0x2d/0x110<br /> [ 47.615236][ T1897] ? brcmf_usb_deq+0x1a7/0x260<br /> [ 47.615741][ T1897] ? brcmf_usb_rx_fill_all+0x5a/0xf0<br /> [ 47.616288][ T1897] brcmf_attach+0x246/0xd40<br /> [ 47.616758][ T1897] ? wiphy_new_nm+0x1703/0x1dd0<br /> [ 47.617280][ T1897] ? kmemdup+0x43/0x50<br /> [ 47.617720][ T1897] brcmf_usb_probe+0x12de/0x1690<br /> [ 47.618244][ T1897] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470<br /> [ 47.618901][ T1897] usb_probe_interface+0x2aa/0x760<br /> [ 47.619429][ T1897] ? usb_probe_device+0x250/0x250<br /> [ 47.619950][ T1897] really_probe+0x205/0xb70<br /> [ 47.620435][ T1897] ? driver_allows_async_probing+0x130/0x130<br /> [ 47.621048][ T1897] __driver_probe_device+0x311/0x4b0<br /> [ 47.621595][ T1897] ? driver_allows_async_probing+0x130/0x130<br /> [ 47.622209][ T1897] driver_probe_device+0x4e/0x150<br /> [ 47.622739][ T1897] __device_attach_driver+0x1cc/0x2a0<br /> [ 47.623287][ T1897] bus_for_each_drv+0x156/0x1d0<br /> [ 47.623796][ T1897] ? bus_rescan_devices+0x30/0x30<br /> [ 47.624309][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0<br /> [ 47.624907][ T1897] ? trace_hardirqs_on+0x46/0x160<br /> [ 47.625437][ T1897] __device_attach+0x23f/0x3a0<br /> [ 47.625924][ T1897] ? device_bind_driver+0xd0/0xd0<br /> [ 47.626433][ T1897] ? kobject_uevent_env+0x287/0x14b0<br /> [ 47.627057][ T1897] bus_probe_device+0x1da/0x290<br /> [ 47.627557][ T1897] device_add+0xb7b/0x1eb0<br /> [ 47.628027][ T1897] ? wait_for_completion+0x290/0x290<br /> [ 47.628593][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0<br /> [ 47.629249][ T1897] usb_set_configuration+0xf59/0x16f0<br /> [ 47.629829][ T1897] usb_generic_driver_probe+0x82/0xa0<br /> [ 47.630385][ T1897] usb_probe_device+0xbb/0x250<br /> [ 47.630927][ T1897] ? usb_suspend+0x590/0x590<br /> [ 47.631397][ T1897] really_probe+0x205/0xb70<br /> [ 47.631855][ T1897] ? driver_allows_async_probing+0x130/0x130<br /> [ 47.632469][ T1897] __driver_probe_device+0x311/0x4b0<br /> [ 47.633002][ <br /> ---truncated---