Linux Kernel RTL8723BS Stack Buffer Overflow Vulnerability in Association Request Parsing

A stack buffer overflow vulnerability has been identified in the Linux kernel's RTL8723BS Wi-Fi driver, specifically in the parsing of the Supported Rates Information Element (IE) within Association Request frames. This issue arises because the length of the Supported Rates IE is used directly to determine the length of data to be copied into a fixed-size 16-byte stack buffer. Maliciously crafted Association Requests can exploit this by advertising an IE length greater than 16 bytes, leading to a buffer overflow and potential corruption of the kernel stack. The vulnerability affects the Linux kernel staging area driver for RTL8723BS, in versions prior to the patching commit.

Impact

Exploitation of this vulnerability can cause a stack buffer overflow, leading to kernel stack corruption. Such stack corruption can potentially be exploited to execute arbitrary code in the context of the kernel, which could have severe implications for system security and stability.

Reproduction

The vulnerability can be reproduced by sending a malformed Association Request frame that includes a Supported Rates IE length greater than 16 bytes. This can be done using a Wi-Fi device or software that allows for the manipulation of IEEE 802.11 frames, such as airodump-ng or Scapy. The crafted frame should be sent to a device running an affected version of the Linux kernel with the RTL8723BS driver loaded.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit that addresses this issue is available in the Linux kernel stable tree.