Linux Kernel Out-of-Bounds Read Vulnerability in iwlwifi Driver

A potential out-of-bounds read vulnerability has been identified in the Linux kernel's iwlwifi driver, specifically within the match information handling function. The issue arises because the memcpy function assumes that the dynamic array containing match information is sufficiently large to accommodate the data being copied. If this assumption is incorrect, it could lead to the results array containing unintended data. To address this vulnerability, the validation checks have been enhanced to ensure that the packet length is adequate before performing the copy operation. This vulnerability was discovered by the Linux Verification Center using the SVACE analysis tool.

Impact

Exploitation of this vulnerability could lead to memory corruption by allowing the introduction of unintended data into the results array, potentially causing unpredictable behavior in the application or system.

Reproduction

The vulnerability can be reproduced by sending a scan offload match info notification that includes a dynamic array of matches. If the array is smaller than expected, the memcpy function will read beyond the allocated memory, creating an out-of-bounds condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the updated kernel can be found on the official Linux kernel website.