CVE-2023-53213
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-125
Lectura fuera de límites
Fecha de publicación:
15/09/2025
Última modificación:
14/01/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()<br />
<br />
Fix a slab-out-of-bounds read that occurs in kmemdup() called from<br />
brcmf_get_assoc_ies().<br />
The bug could occur when assoc_info->req_len, data from a URB provided<br />
by a USB device, is bigger than the size of buffer which is defined as<br />
WL_EXTRA_BUF_MAX.<br />
<br />
Add the size check for req_len/resp_len of assoc_info.<br />
<br />
Found by a modified version of syzkaller.<br />
<br />
[ 46.592467][ T7] ==================================================================<br />
[ 46.594687][ T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50<br />
[ 46.596572][ T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7<br />
[ 46.598575][ T7]<br />
[ 46.599157][ T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #145<br />
[ 46.601333][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014<br />
[ 46.604360][ T7] Workqueue: events brcmf_fweh_event_worker<br />
[ 46.605943][ T7] Call Trace:<br />
[ 46.606584][ T7] dump_stack_lvl+0x8e/0xd1<br />
[ 46.607446][ T7] print_address_description.constprop.0.cold+0x93/0x334<br />
[ 46.608610][ T7] ? kmemdup+0x3e/0x50<br />
[ 46.609341][ T7] kasan_report.cold+0x79/0xd5<br />
[ 46.610151][ T7] ? kmemdup+0x3e/0x50<br />
[ 46.610796][ T7] kasan_check_range+0x14e/0x1b0<br />
[ 46.611691][ T7] memcpy+0x20/0x60<br />
[ 46.612323][ T7] kmemdup+0x3e/0x50<br />
[ 46.612987][ T7] brcmf_get_assoc_ies+0x967/0xf60<br />
[ 46.613904][ T7] ? brcmf_notify_vif_event+0x3d0/0x3d0<br />
[ 46.614831][ T7] ? lock_chain_count+0x20/0x20<br />
[ 46.615683][ T7] ? mark_lock.part.0+0xfc/0x2770<br />
[ 46.616552][ T7] ? lock_chain_count+0x20/0x20<br />
[ 46.617409][ T7] ? mark_lock.part.0+0xfc/0x2770<br />
[ 46.618244][ T7] ? lock_chain_count+0x20/0x20<br />
[ 46.619024][ T7] brcmf_bss_connect_done.constprop.0+0x241/0x2e0<br />
[ 46.620019][ T7] ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0<br />
[ 46.620818][ T7] ? __lock_acquire+0x181f/0x5790<br />
[ 46.621462][ T7] brcmf_notify_connect_status+0x448/0x1950<br />
[ 46.622134][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0<br />
[ 46.622736][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0<br />
[ 46.623390][ T7] ? find_held_lock+0x2d/0x110<br />
[ 46.623962][ T7] ? brcmf_fweh_event_worker+0x19f/0xc60<br />
[ 46.624603][ T7] ? mark_held_locks+0x9f/0xe0<br />
[ 46.625145][ T7] ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0<br />
[ 46.625871][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0<br />
[ 46.626545][ T7] brcmf_fweh_call_event_handler.isra.0+0x90/0x100<br />
[ 46.627338][ T7] brcmf_fweh_event_worker+0x557/0xc60<br />
[ 46.627962][ T7] ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100<br />
[ 46.628736][ T7] ? rcu_read_lock_sched_held+0xa1/0xd0<br />
[ 46.629396][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0<br />
[ 46.629970][ T7] ? lockdep_hardirqs_on_prepare+0x273/0x3e0<br />
[ 46.630649][ T7] process_one_work+0x92b/0x1460<br />
[ 46.631205][ T7] ? pwq_dec_nr_in_flight+0x330/0x330<br />
[ 46.631821][ T7] ? rwlock_bug.part.0+0x90/0x90<br />
[ 46.632347][ T7] worker_thread+0x95/0xe00<br />
[ 46.632832][ T7] ? __kthread_parkme+0x115/0x1e0<br />
[ 46.633393][ T7] ? process_one_work+0x1460/0x1460<br />
[ 46.633957][ T7] kthread+0x3a1/0x480<br />
[ 46.634369][ T7] ? set_kthread_struct+0x120/0x120<br />
[ 46.634933][ T7] ret_from_fork+0x1f/0x30<br />
[ 46.635431][ T7]<br />
[ 46.635687][ T7] Allocated by task 7:<br />
[ 46.636151][ T7] kasan_save_stack+0x1b/0x40<br />
[ 46.636628][ T7] __kasan_kmalloc+0x7c/0x90<br />
[ 46.637108][ T7] kmem_cache_alloc_trace+0x19e/0x330<br />
[ 46.637696][ T7] brcmf_cfg80211_attach+0x4a0/0x4040<br />
[ 46.638275][ T7] brcmf_attach+0x389/0xd40<br />
[ 46.638739][ T7] brcmf_usb_probe+0x12de/0x1690<br />
[ 46.639279][ T7] usb_probe_interface+0x2aa/0x760<br />
[ 46.639820][ T7] really_probe+0x205/0xb70<br />
[ 46.640342][ T7] __driver_probe_device+0<br />
---truncated---
Impacto
Puntuación base 3.x
7.10
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.14.315 (excluyendo) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (incluyendo) | 4.19.283 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (incluyendo) | 5.4.243 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (incluyendo) | 5.10.180 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (incluyendo) | 5.15.110 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (incluyendo) | 6.1.27 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (incluyendo) | 6.2.14 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.3 (incluyendo) | 6.3.1 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/0da40e018fd034d87c9460123fa7f897b69fdee7
- https://git.kernel.org/stable/c/21bee3e649d87f78fe8aef6ae02edd3d6f310fd0
- https://git.kernel.org/stable/c/228186629ea970cc78b7d7d5f593f2d32fddf9f6
- https://git.kernel.org/stable/c/39f9bd880abac6068bedb24a4e16e7bd26bf92da
- https://git.kernel.org/stable/c/425eea395f1f5ae349fb55f7fe51d833a5324bfe
- https://git.kernel.org/stable/c/549825602e3e6449927ca1ea1a08fd89868439df
- https://git.kernel.org/stable/c/936a23293bbb3332bdf4cdb9c1496e80cb0bc2c8
- https://git.kernel.org/stable/c/ac5305e5d227b9af3aae25fa83380d3ff0225b73
- https://git.kernel.org/stable/c/e29661611e6e71027159a3140e818ef3b99f32dd