Linux Kernel Broadcom Brcmfmac Wireless Driver Shift-Out-Of-Bounds Vulnerability

A shift-out-of-bounds vulnerability has been identified in the Linux kernel's handling of chip revision data for Broadcom wireless devices. This issue arises in the brcmf_fw_alloc_request() function when a 'chiprev' value provided by the device exceeds a certain limit, leading to potential memory access violations. The vulnerability is present in the Linux kernel stable tree, specifically in versions through 5.14.0.

Impact

Exploitation of this vulnerability can lead to undefined behavior, including potential memory corruption, as indicated by the reported shift-out-of-bounds error. Such memory errors can often be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using a modified version of the syzkaller fuzzer, which can generate inputs that trigger the out-of-bounds shift error in the brcmfmac driver. This can be done by creating a scenario where the 'chiprev' value is set to an invalid, overly large number, which the driver does not properly validate before use.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.