Linux Kernel Broadcom Wi-Fi Driver Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Linux kernel's Broadcom Wi-Fi driver (brcmfmac). This issue arises when the driver is set to use random MAC addresses, leading to an invalid memory access. The vulnerability occurs in versions of the Linux kernel prior to 5.15.0, specifically in the stable branch 4.19.42-00001-g531a5f5. The problem is triggered during the scheduling of Wi-Fi scans, where the driver attempts to access user memory without proper validation, resulting in a kernel crash.

Impact

Exploitation of this vulnerability causes a kernel crash, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by enabling scheduled scans in the Broadcom Wi-Fi driver while the driver is configured to use random MAC addresses. This can be done through the network management tool 'wificond', which sends a netlink message to start a scheduled scan. The driver will then attempt to access the random MAC address information, leading to a null pointer dereference and a crash.

Remediation

Users can upgrade to Linux kernel versions 5.15.0 or later, where this vulnerability has been addressed.