Linux Kernel Out-of-Bounds Read Vulnerability in brcmfmac Wi-Fi Driver

A vulnerability in the Linux kernel's brcmfmac Wi-Fi driver can lead to slab-out-of-bounds reads. This issue arises in the functions brcmf_construct_chaninfo() and brcmf_enable_bw40_2g(), when the count of channel specifications from the device exceeds the allocated length of the 'list->element[]'. The vulnerability has been addressed by adding checks to ensure the count does not exceed the allocated buffer, with the functions returning -EINVAL if an overflow is detected. This negative return is properly handled by the calling functions, brcmf_setup_wiphybands() or brcmf_cfg80211_attach().

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds read, which can lead to information disclosure or potentially allow for further exploitation by overwriting memory.

Reproduction

The vulnerability can be reproduced by using a device that sends channel specifications with a count value greater than what the driver can safely handle. This can be done by modifying the channel information sent by a Wi-Fi device to exceed the expected limits, which will trigger the out-of-bounds read when the driver processes the channel information.

Remediation

Users should update to the latest version of the Linux kernel where this vulnerability has been patched.