Linux Kernel WiFi brcmsmac Driver dma_free_coherent Size Mismatch Vulnerability

A vulnerability exists in the Linux kernel's WiFi brcmsmac driver, specifically in the handling of DMA memory allocation and deallocation. The issue arises because the function dma_alloc_consistent can alter the size of the allocated memory to ensure proper alignment. This adjusted size is then stored in a variable called 'alloced'. However, the corresponding deallocation function, dma_free_coherent, was originally called with the unadjusted size, leading to a mismatch. The vulnerability has been addressed by modifying the free operation to use the correct, aligned size.

Impact

The vulnerability could potentially lead to memory management issues, where improperly freed memory could cause instability or unexpected behavior in the driver.

Reproduction

The vulnerability can be reproduced by using the brcmsmac driver with a wireless device that requires DMA memory allocation. When the driver allocates memory using dma_alloc_consistent, the function may adjust the size for alignment purposes. If the driver then frees the memory using dma_free_coherent without accounting for this adjustment, a size mismatch occurs, creating the vulnerability.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability. The patch can be downloaded from the Linux kernel Git repository.