NXP Wi-Fi Driver Buffer Overflow Vulnerability in Kernel Module

A stack-based buffer overflow vulnerability has been identified in the NXP 'moal.ko' Wi-Fi kernel driver, version 5.1.7.10, across several firmware releases. The vulnerability arises in the 'woal_setup_module_param' function, where the 'mod_para' parameter is processed without proper bounds checking. This flaw allows lines of arbitrary length to overflow a fixed-size stack buffer, corrupting the stack and potentially leading to a kernel panic. The issue requires root privileges to exploit, as it involves loading a malicious configuration file via a kernel module parameter.

Impact

Exploitation of this vulnerability causes a kernel panic, confirmed to trigger an immediate system reboot. Additionally, the stack corruption overwrites the saved return address, with the potential for arbitrary code execution in kernel mode, depending on existing mitigations.

Reproduction

To reproduce this vulnerability, unload any existing Wi-Fi modules and create a configuration file that exploits the buffer overflow by overwriting the return address. Load the 'moal.ko' module with the 'mod_para' parameter pointing to the crafted configuration file. The module will panic upon initialization, indicating successful exploitation.

Remediation

Update to a firmware version later than v17.92.1.p149.157, which includes the patch for this vulnerability. NXP has released the patch as part of a formal software update.