CVE-2023-53582

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds<br /> <br /> Fix a stack-out-of-bounds read in brcmfmac that occurs<br /> when &amp;#39;buf&amp;#39; that is not null-terminated is passed as an argument of<br /> strreplace() in brcmf_c_preinit_dcmds(). This buffer is filled with<br /> a CLM version string by memcpy() in brcmf_fil_iovar_data_get().<br /> Ensure buf is null-terminated.<br /> <br /> Found by a modified version of syzkaller.<br /> <br /> [ 33.004414][ T1896] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available<br /> [ 33.013486][ T1896] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22<br /> [ 33.021554][ T1896] ==================================================================<br /> [ 33.022379][ T1896] BUG: KASAN: stack-out-of-bounds in strreplace+0xf2/0x110<br /> [ 33.023122][ T1896] Read of size 1 at addr ffffc90001d6efc8 by task kworker/0:2/1896<br /> [ 33.023852][ T1896]<br /> [ 33.024096][ T1896] CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132<br /> [ 33.024927][ T1896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014<br /> [ 33.026065][ T1896] Workqueue: usb_hub_wq hub_event<br /> [ 33.026581][ T1896] Call Trace:<br /> [ 33.026896][ T1896] dump_stack_lvl+0x57/0x7d<br /> [ 33.027372][ T1896] print_address_description.constprop.0.cold+0xf/0x334<br /> [ 33.028037][ T1896] ? strreplace+0xf2/0x110<br /> [ 33.028403][ T1896] ? strreplace+0xf2/0x110<br /> [ 33.028807][ T1896] kasan_report.cold+0x83/0xdf<br /> [ 33.029283][ T1896] ? strreplace+0xf2/0x110<br /> [ 33.029666][ T1896] strreplace+0xf2/0x110<br /> [ 33.029966][ T1896] brcmf_c_preinit_dcmds+0xab1/0xc40<br /> [ 33.030351][ T1896] ? brcmf_c_set_joinpref_default+0x100/0x100<br /> [ 33.030787][ T1896] ? rcu_read_lock_sched_held+0xa1/0xd0<br /> [ 33.031223][ T1896] ? rcu_read_lock_bh_held+0xb0/0xb0<br /> [ 33.031661][ T1896] ? lock_acquire+0x19d/0x4e0<br /> [ 33.032091][ T1896] ? find_held_lock+0x2d/0x110<br /> [ 33.032605][ T1896] ? brcmf_usb_deq+0x1a7/0x260<br /> [ 33.033087][ T1896] ? brcmf_usb_rx_fill_all+0x5a/0xf0<br /> [ 33.033582][ T1896] brcmf_attach+0x246/0xd40<br /> [ 33.034022][ T1896] ? wiphy_new_nm+0x1476/0x1d50<br /> [ 33.034383][ T1896] ? kmemdup+0x30/0x40<br /> [ 33.034722][ T1896] brcmf_usb_probe+0x12de/0x1690<br /> [ 33.035223][ T1896] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470<br /> [ 33.035833][ T1896] usb_probe_interface+0x25f/0x710<br /> [ 33.036315][ T1896] really_probe+0x1be/0xa90<br /> [ 33.036656][ T1896] __driver_probe_device+0x2ab/0x460<br /> [ 33.037026][ T1896] ? usb_match_id.part.0+0x88/0xc0<br /> [ 33.037383][ T1896] driver_probe_device+0x49/0x120<br /> [ 33.037790][ T1896] __device_attach_driver+0x18a/0x250<br /> [ 33.038300][ T1896] ? driver_allows_async_probing+0x120/0x120<br /> [ 33.038986][ T1896] bus_for_each_drv+0x123/0x1a0<br /> [ 33.039906][ T1896] ? bus_rescan_devices+0x20/0x20<br /> [ 33.041412][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0<br /> [ 33.041861][ T1896] ? trace_hardirqs_on+0x1c/0x120<br /> [ 33.042330][ T1896] __device_attach+0x207/0x330<br /> [ 33.042664][ T1896] ? device_bind_driver+0xb0/0xb0<br /> [ 33.043026][ T1896] ? kobject_uevent_env+0x230/0x12c0<br /> [ 33.043515][ T1896] bus_probe_device+0x1a2/0x260<br /> [ 33.043914][ T1896] device_add+0xa61/0x1ce0<br /> [ 33.044227][ T1896] ? __mutex_unlock_slowpath+0xe7/0x660<br /> [ 33.044891][ T1896] ? __fw_devlink_link_to_suppliers+0x550/0x550<br /> [ 33.045531][ T1896] usb_set_configuration+0x984/0x1770<br /> [ 33.046051][ T1896] ? kernfs_create_link+0x175/0x230<br /> [ 33.046548][ T1896] usb_generic_driver_probe+0x69/0x90<br /> [ 33.046931][ T1896] usb_probe_device+0x9c/0x220<br /> [ 33.047434][ T1896] really_probe+0x1be/0xa90<br /> [ 33.047760][ T1896] __driver_probe_device+0x2ab/0x460<br /> [ 33.048134][ T1896] driver_probe_device+0x49/0x120<br /> [ 33.048516][ T1896] __device_attach_driver+0x18a/0x250<br /> [ 33.048910][ T1896] ? driver_allows_async_probing+0x120/0x120<br /> ---truncated---