Linux Kernel Broadcom Brcmfmac Driver Null Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's handling of the Broadcom brcmfmac wireless driver can lead to a null pointer dereference. This issue occurs when the probe function is called with a null identifier, which can happen in two scenarios: during a device reprobe initiated by the brcmf_pcie_pm_leave_D3 function, or when a user manually binds the driver through sysfs, resulting in the probe function receiving a null id. This flaw has been reported to cause a kernel oops error, disrupting Wi-Fi functionality on affected devices.

Impact

Exploiting this vulnerability causes a kernel null pointer dereference, leading to a crash and disruption of Wi-Fi functionality.

Reproduction

The vulnerability can be reproduced by manually binding the brcmfmac driver through sysfs, which will result in the probe function being called with a null id. This scenario triggers a null pointer dereference, causing a kernel crash and disabling Wi-Fi on the device.

Remediation

Users can update to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for updating the kernel can be found in the documentation for your specific Linux distribution.