Linux Kernel Broadcom brcmfmac Invalid max_flowrings Handling Vulnerability Leading to Kernel Panic

A vulnerability in the Linux kernel's handling of Broadcom brcmfmac wireless drivers can lead to a kernel panic. This issue arises when the firmware encounters a trap during initialization, causing the host to read an abnormal number of max_flowrings from the dongle. If this number exceeds 256, it triggers a kernel panic while attempting to initialize the dongle ring via an I/O write operation. The vulnerability is present in several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by using a Broadcom wireless dongle with firmware that triggers a trap during initialization. This will cause the host to read an invalid max_flowrings value, which, if greater than 256, will result in a kernel panic when the system attempts to initialize the dongle's ring buffers.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation or through the package management system of the respective Linux distribution.