Linux Kernel Broadcom brcmfmac Wireless Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's handling of Broadcom wireless devices, specifically within the brcmfmac driver. This issue arises in versions of the kernel prior to 5.4.199. The vulnerability occurs in the 'brcmf_netdev_start_xmit' function, where a scheduled transmission can be completed before the network device's transmission statistics are updated. This flaw was detected by the Kernel Address Sanitizer (KASAN), which reported a read of freed memory, indicating that the driver improperly managed memory allocation and deallocation during packet transmission. The vulnerability can be exploited when the driver processes certain network protocols, such as IGMPv3, potentially leading to memory corruption and undefined behavior.

Impact

Exploitation of this vulnerability can cause a use-after-free condition, where the driver attempts to access memory that has already been freed. This can lead to memory corruption, allowing for arbitrary code execution or causing a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by using a Broadcom wireless device with the brcmfmac driver on a vulnerable version of the Linux kernel. When the system processes IGMPv3 packets, the driver fails to properly synchronize memory management, leading to the use-after-free condition. This can be observed by monitoring the kernel logs for KASAN use-after-free warnings, which indicate that the driver has accessed freed memory, creating a potential opportunity for exploitation.

Remediation

Users can upgrade to Linux kernel version 5.4.199 or later, where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the documentation for the specific Linux distribution in use.