Linux Kernel WILC1000 Driver Heap Buffer Overflow Vulnerability

A heap buffer overflow vulnerability has been identified in the Linux kernel's WILC1000 wireless driver. The issue arises because the 'valuesize' variable, which is declared as an 8-bit unsigned integer, incorrectly accumulates the total length of SSIDs to be scanned. Each SSID can contribute up to 33 bytes, and with a maximum of 10 SSIDs, the total can reach 330 bytes. This exceeds the capacity of a u8, causing a wraparound that leads to improper memory allocation. The vulnerability allows for writing 256 bytes beyond the allocated buffer, creating a potential security risk.

Impact

Exploitation of this vulnerability leads to a heap buffer overflow, which can commonly be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by scanning for SSIDs with the WILC1000 wireless driver while the 'WILC_MAX_NUM_PROBED_SSID' is set to 10. This will cause the 'valuesize' variable to overflow, leading to a buffer allocation that is insufficient for the data being processed.

Remediation

The vulnerability has been addressed by changing the 'valuesize' variable from an 8-bit unsigned integer to a 32-bit unsigned integer, allowing it to correctly handle the maximum length of SSIDs. Users should update to the latest version of the Linux kernel where this fix has been applied.