Linux Kernel Out-of-Bounds Read Vulnerability in RTL8723BS Wi-Fi Driver

A vulnerability allowing out-of-bounds reads has been identified in the Linux kernel's RTL8723BS Wi-Fi driver, specifically within the Information Element (IE) parser function rtw_get_ie(). This issue arises because the parser improperly trusts the length byte of each IE without verifying that the IE body, indicated by the length, fits within the remaining frame buffer. Consequently, a malformed frame could claim an IE length greater than the available data, leading the parser to read beyond the buffer's end. This flaw can cause out-of-bounds read errors or, in some cases, trigger an infinite loop. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes out-of-bounds reads, which can lead to memory corruption or information disclosure. Additionally, depending on the exploitation pattern, it could cause an infinite loop, potentially leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a malformed frame that includes an Information Element (IE) with a length byte indicating more data than is actually available. This can be done using a custom Wi-Fi packet injection tool that allows manipulation of the IE length in the 802.11 frame.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.