Linux Kernel Broadcom Brcmfmac Driver Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in the Linux kernel's Broadcom brcmfmac wireless driver. This issue arises when a buffer containing a CLM version string is not properly null-terminated before being processed, leading to a stack-out-of-bounds read. The vulnerability was discovered using a modified version of syzkaller.

Impact

Exploitation of this vulnerability causes a stack-out-of-bounds read, which can potentially be leveraged for a more severe attack, such as arbitrary code execution.

Reproduction

The vulnerability can be reproduced by loading a Broadcom BCM43236 wireless device with the affected Linux kernel version. The brcmfmac driver will process the CLM version string, which is retrieved from the device firmware. If the string is not null-terminated, it will result in a stack-based buffer overflow. This can be observed in the kernel logs, where the 'KASAN' (Kernel Address Sanitizer) reports a stack-out-of-bounds read.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the patched version can be found in the Linux kernel documentation.