Linux Kernel Broadcom Brcmfmac Driver Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in the Linux kernel's Broadcom brcmfmac wireless driver. This issue arises in the function 'brcmf_c_preinit_dcmds()' when a firmware version string, not properly null-terminated, is passed to 'strsep()'. The buffer is populated by 'brcmf_fil_iovar_data_get()' using 'memcpy()'. The vulnerability was discovered using a modified version of syzkaller.

Impact

Exploitation of this vulnerability leads to a stack-out-of-bounds read, which can potentially be leveraged for arbitrary code execution or to cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by loading a Broadcom BCM43236 wireless chip with the brcmfmac driver. During the initialization process, the driver improperly handles a firmware version string that lacks a null terminator, leading to a stack-based buffer overflow. This can be observed in the kernel logs, where the 'KASAN' (Kernel Address Sanitizer) reports a stack-out-of-bounds read, indicating that the vulnerability has been successfully triggered.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the official Linux kernel stable repository. Instructions for downloading the latest stable kernel can be found on the Linux kernel website.