Home

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Fix a slab-out-of-bounds read that occurs in kmemdup() called from brcmf_get_assoc_ies(). The bug could occur when assoc_info->req_len, data from a URB provided by a USB device, is bigger than the size of buffer which is defined as WL_EXTRA_BUF_MAX. Add the size check for req_len/resp_len of assoc_info. Found by a modified version of syzkaller. [ 46.592467][ T7] ================================================================== [ 46.594687][ T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50 [ 46.596572][ T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7 [ 46.598575][ T7] [ 46.599157][ T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #145 [ 46.601333][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 46.604360][ T7] Workqueue: events brcmf_fweh_event_worker [ 46.605943][ T7] Call Trace: [ 46.606584][ T7] dump_stack_lvl+0x8e/0xd1 [ 46.607446][ T7] print_address_description.constprop.0.cold+0x93/0x334 [ 46.608610][ T7] ? kmemdup+0x3e/0x50 [ 46.609341][ T7] kasan_report.cold+0x79/0xd5 [ 46.610151][ T7] ? kmemdup+0x3e/0x50 [ 46.610796][ T7] kasan_check_range+0x14e/0x1b0 [ 46.611691][ T7] memcpy+0x20/0x60 [ 46.612323][ T7] kmemdup+0x3e/0x50 [ 46.612987][ T7] brcmf_get_assoc_ies+0x967/0xf60 [ 46.613904][ T7] ? brcmf_notify_vif_event+0x3d0/0x3d0 [ 46.614831][ T7] ? lock_chain_count+0x20/0x20 [ 46.615683][ T7] ? mark_lock.part.0+0xfc/0x2770 [ 46.616552][ T7] ? lock_chain_count+0x20/0x20 [ 46.617409][ T7] ? mark_lock.part.0+0xfc/0x2770 [ 46.618244][ T7] ? lock_chain_count+0x20/0x20 [ 46.619024][ T7] brcmf_bss_connect_done.constprop.0+0x241/0x2e0 [ 46.620019][ T7] ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0 [ 46.620818][ T7] ? __lock_acquire+0x181f/0x5790 [ 46.621462][ T7] brcmf_notify_connect_status+0x448/0x1950 [ 46.622134][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 46.622736][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0 [ 46.623390][ T7] ? find_held_lock+0x2d/0x110 [ 46.623962][ T7] ? brcmf_fweh_event_worker+0x19f/0xc60 [ 46.624603][ T7] ? mark_held_locks+0x9f/0xe0 [ 46.625145][ T7] ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0 [ 46.625871][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0 [ 46.626545][ T7] brcmf_fweh_call_event_handler.isra.0+0x90/0x100 [ 46.627338][ T7] brcmf_fweh_event_worker+0x557/0xc60 [ 46.627962][ T7] ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 [ 46.628736][ T7] ? rcu_read_lock_sched_held+0xa1/0xd0 [ 46.629396][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 46.629970][ T7] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 46.630649][ T7] process_one_work+0x92b/0x1460 [ 46.631205][ T7] ? pwq_dec_nr_in_flight+0x330/0x330 [ 46.631821][ T7] ? rwlock_bug.part.0+0x90/0x90 [ 46.632347][ T7] worker_thread+0x95/0xe00 [ 46.632832][ T7] ? __kthread_parkme+0x115/0x1e0 [ 46.633393][ T7] ? process_one_work+0x1460/0x1460 [ 46.633957][ T7] kthread+0x3a1/0x480 [ 46.634369][ T7] ? set_kthread_struct+0x120/0x120 [ 46.634933][ T7] ret_from_fork+0x1f/0x30 [ 46.635431][ T7] [ 46.635687][ T7] Allocated by task 7: [ 46.636151][ T7] kasan_save_stack+0x1b/0x40 [ 46.636628][ T7] __kasan_kmalloc+0x7c/0x90 [ 46.637108][ T7] kmem_cache_alloc_trace+0x19e/0x330 [ 46.637696][ T7] brcmf_cfg80211_attach+0x4a0/0x4040 [ 46.638275][ T7] brcmf_attach+0x389/0xd40 [ 46.638739][ T7] brcmf_usb_probe+0x12de/0x1690 [ 46.639279][ T7] usb_probe_interface+0x2aa/0x760 [ 46.639820][ T7] really_probe+0x205/0xb70 [ 46.640342][ T7] __driver_probe_device+0 ---truncated---

PUBLISHED Reserved 2025-09-15 | Published 2025-09-15 | Updated 2025-09-15 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ac5305e5d227b9af3aae25fa83380d3ff0225b73
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 39f9bd880abac6068bedb24a4e16e7bd26bf92da
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 425eea395f1f5ae349fb55f7fe51d833a5324bfe
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 549825602e3e6449927ca1ea1a08fd89868439df
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 936a23293bbb3332bdf4cdb9c1496e80cb0bc2c8
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before e29661611e6e71027159a3140e818ef3b99f32dd
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 228186629ea970cc78b7d7d5f593f2d32fddf9f6
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 21bee3e649d87f78fe8aef6ae02edd3d6f310fd0
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 0da40e018fd034d87c9460123fa7f897b69fdee7
affected

Default status
affected

4.14.315 (semver)
unaffected

4.19.283 (semver)
unaffected

5.4.243 (semver)
unaffected

5.10.180 (semver)
unaffected

5.15.110 (semver)
unaffected

6.1.27 (semver)
unaffected

6.2.14 (semver)
unaffected

6.3.1 (semver)
unaffected

6.4 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/ac5305e5d227b9af3aae25fa83380d3ff0225b73

git.kernel.org/...c/39f9bd880abac6068bedb24a4e16e7bd26bf92da

git.kernel.org/...c/425eea395f1f5ae349fb55f7fe51d833a5324bfe

git.kernel.org/...c/549825602e3e6449927ca1ea1a08fd89868439df

git.kernel.org/...c/936a23293bbb3332bdf4cdb9c1496e80cb0bc2c8

git.kernel.org/...c/e29661611e6e71027159a3140e818ef3b99f32dd

git.kernel.org/...c/228186629ea970cc78b7d7d5f593f2d32fddf9f6

git.kernel.org/...c/21bee3e649d87f78fe8aef6ae02edd3d6f310fd0

git.kernel.org/...c/0da40e018fd034d87c9460123fa7f897b69fdee7

cve.org (CVE-2023-53213)

nvd.nist.gov (CVE-2023-53213)

Download JSON