ghsa-fq2q-2mv8-c2mg
Vulnerability from github
Published
2025-09-15 15:31
Modified
2025-09-15 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()

Fix a slab-out-of-bounds read that occurs in kmemdup() called from brcmf_get_assoc_ies(). The bug could occur when assoc_info->req_len, data from a URB provided by a USB device, is bigger than the size of buffer which is defined as WL_EXTRA_BUF_MAX.

Add the size check for req_len/resp_len of assoc_info.

Found by a modified version of syzkaller.

[ 46.592467][ T7] ================================================================== [ 46.594687][ T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50 [ 46.596572][ T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7 [ 46.598575][ T7] [ 46.599157][ T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #145 [ 46.601333][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 46.604360][ T7] Workqueue: events brcmf_fweh_event_worker [ 46.605943][ T7] Call Trace: [ 46.606584][ T7] dump_stack_lvl+0x8e/0xd1 [ 46.607446][ T7] print_address_description.constprop.0.cold+0x93/0x334 [ 46.608610][ T7] ? kmemdup+0x3e/0x50 [ 46.609341][ T7] kasan_report.cold+0x79/0xd5 [ 46.610151][ T7] ? kmemdup+0x3e/0x50 [ 46.610796][ T7] kasan_check_range+0x14e/0x1b0 [ 46.611691][ T7] memcpy+0x20/0x60 [ 46.612323][ T7] kmemdup+0x3e/0x50 [ 46.612987][ T7] brcmf_get_assoc_ies+0x967/0xf60 [ 46.613904][ T7] ? brcmf_notify_vif_event+0x3d0/0x3d0 [ 46.614831][ T7] ? lock_chain_count+0x20/0x20 [ 46.615683][ T7] ? mark_lock.part.0+0xfc/0x2770 [ 46.616552][ T7] ? lock_chain_count+0x20/0x20 [ 46.617409][ T7] ? mark_lock.part.0+0xfc/0x2770 [ 46.618244][ T7] ? lock_chain_count+0x20/0x20 [ 46.619024][ T7] brcmf_bss_connect_done.constprop.0+0x241/0x2e0 [ 46.620019][ T7] ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0 [ 46.620818][ T7] ? __lock_acquire+0x181f/0x5790 [ 46.621462][ T7] brcmf_notify_connect_status+0x448/0x1950 [ 46.622134][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 46.622736][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0 [ 46.623390][ T7] ? find_held_lock+0x2d/0x110 [ 46.623962][ T7] ? brcmf_fweh_event_worker+0x19f/0xc60 [ 46.624603][ T7] ? mark_held_locks+0x9f/0xe0 [ 46.625145][ T7] ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0 [ 46.625871][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0 [ 46.626545][ T7] brcmf_fweh_call_event_handler.isra.0+0x90/0x100 [ 46.627338][ T7] brcmf_fweh_event_worker+0x557/0xc60 [ 46.627962][ T7] ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 [ 46.628736][ T7] ? rcu_read_lock_sched_held+0xa1/0xd0 [ 46.629396][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 46.629970][ T7] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 46.630649][ T7] process_one_work+0x92b/0x1460 [ 46.631205][ T7] ? pwq_dec_nr_in_flight+0x330/0x330 [ 46.631821][ T7] ? rwlock_bug.part.0+0x90/0x90 [ 46.632347][ T7] worker_thread+0x95/0xe00 [ 46.632832][ T7] ? __kthread_parkme+0x115/0x1e0 [ 46.633393][ T7] ? process_one_work+0x1460/0x1460 [ 46.633957][ T7] kthread+0x3a1/0x480 [ 46.634369][ T7] ? set_kthread_struct+0x120/0x120 [ 46.634933][ T7] ret_from_fork+0x1f/0x30 [ 46.635431][ T7] [ 46.635687][ T7] Allocated by task 7: [ 46.636151][ T7] kasan_save_stack+0x1b/0x40 [ 46.636628][ T7] __kasan_kmalloc+0x7c/0x90 [ 46.637108][ T7] kmem_cache_alloc_trace+0x19e/0x330 [ 46.637696][ T7] brcmf_cfg80211_attach+0x4a0/0x4040 [ 46.638275][ T7] brcmf_attach+0x389/0xd40 [ 46.638739][ T7] brcmf_usb_probe+0x12de/0x1690 [ 46.639279][ T7] usb_probe_interface+0x2aa/0x760 [ 46.639820][ T7] really_probe+0x205/0xb70 [ 46.640342][ T7] __driver_probe_device+0 ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53213"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T15:15:47Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()\n\nFix a slab-out-of-bounds read that occurs in kmemdup() called from\nbrcmf_get_assoc_ies().\nThe bug could occur when assoc_info-\u003ereq_len, data from a URB provided\nby a USB device, is bigger than the size of buffer which is defined as\nWL_EXTRA_BUF_MAX.\n\nAdd the size check for req_len/resp_len of assoc_info.\n\nFound by a modified version of syzkaller.\n\n[   46.592467][    T7] ==================================================================\n[   46.594687][    T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50\n[   46.596572][    T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7\n[   46.598575][    T7]\n[   46.599157][    T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G           O      5.14.0+ #145\n[   46.601333][    T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[   46.604360][    T7] Workqueue: events brcmf_fweh_event_worker\n[   46.605943][    T7] Call Trace:\n[   46.606584][    T7]  dump_stack_lvl+0x8e/0xd1\n[   46.607446][    T7]  print_address_description.constprop.0.cold+0x93/0x334\n[   46.608610][    T7]  ? kmemdup+0x3e/0x50\n[   46.609341][    T7]  kasan_report.cold+0x79/0xd5\n[   46.610151][    T7]  ? kmemdup+0x3e/0x50\n[   46.610796][    T7]  kasan_check_range+0x14e/0x1b0\n[   46.611691][    T7]  memcpy+0x20/0x60\n[   46.612323][    T7]  kmemdup+0x3e/0x50\n[   46.612987][    T7]  brcmf_get_assoc_ies+0x967/0xf60\n[   46.613904][    T7]  ? brcmf_notify_vif_event+0x3d0/0x3d0\n[   46.614831][    T7]  ? lock_chain_count+0x20/0x20\n[   46.615683][    T7]  ? mark_lock.part.0+0xfc/0x2770\n[   46.616552][    T7]  ? lock_chain_count+0x20/0x20\n[   46.617409][    T7]  ? mark_lock.part.0+0xfc/0x2770\n[   46.618244][    T7]  ? lock_chain_count+0x20/0x20\n[   46.619024][    T7]  brcmf_bss_connect_done.constprop.0+0x241/0x2e0\n[   46.620019][    T7]  ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0\n[   46.620818][    T7]  ? __lock_acquire+0x181f/0x5790\n[   46.621462][    T7]  brcmf_notify_connect_status+0x448/0x1950\n[   46.622134][    T7]  ? rcu_read_lock_bh_held+0xb0/0xb0\n[   46.622736][    T7]  ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0\n[   46.623390][    T7]  ? find_held_lock+0x2d/0x110\n[   46.623962][    T7]  ? brcmf_fweh_event_worker+0x19f/0xc60\n[   46.624603][    T7]  ? mark_held_locks+0x9f/0xe0\n[   46.625145][    T7]  ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0\n[   46.625871][    T7]  ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0\n[   46.626545][    T7]  brcmf_fweh_call_event_handler.isra.0+0x90/0x100\n[   46.627338][    T7]  brcmf_fweh_event_worker+0x557/0xc60\n[   46.627962][    T7]  ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100\n[   46.628736][    T7]  ? rcu_read_lock_sched_held+0xa1/0xd0\n[   46.629396][    T7]  ? rcu_read_lock_bh_held+0xb0/0xb0\n[   46.629970][    T7]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[   46.630649][    T7]  process_one_work+0x92b/0x1460\n[   46.631205][    T7]  ? pwq_dec_nr_in_flight+0x330/0x330\n[   46.631821][    T7]  ? rwlock_bug.part.0+0x90/0x90\n[   46.632347][    T7]  worker_thread+0x95/0xe00\n[   46.632832][    T7]  ? __kthread_parkme+0x115/0x1e0\n[   46.633393][    T7]  ? process_one_work+0x1460/0x1460\n[   46.633957][    T7]  kthread+0x3a1/0x480\n[   46.634369][    T7]  ? set_kthread_struct+0x120/0x120\n[   46.634933][    T7]  ret_from_fork+0x1f/0x30\n[   46.635431][    T7]\n[   46.635687][    T7] Allocated by task 7:\n[   46.636151][    T7]  kasan_save_stack+0x1b/0x40\n[   46.636628][    T7]  __kasan_kmalloc+0x7c/0x90\n[   46.637108][    T7]  kmem_cache_alloc_trace+0x19e/0x330\n[   46.637696][    T7]  brcmf_cfg80211_attach+0x4a0/0x4040\n[   46.638275][    T7]  brcmf_attach+0x389/0xd40\n[   46.638739][    T7]  brcmf_usb_probe+0x12de/0x1690\n[   46.639279][    T7]  usb_probe_interface+0x2aa/0x760\n[   46.639820][    T7]  really_probe+0x205/0xb70\n[   46.640342][    T7]  __driver_probe_device+0\n---truncated---",
  "id": "GHSA-fq2q-2mv8-c2mg",
  "modified": "2025-09-15T15:31:29Z",
  "published": "2025-09-15T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53213"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0da40e018fd034d87c9460123fa7f897b69fdee7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/21bee3e649d87f78fe8aef6ae02edd3d6f310fd0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/228186629ea970cc78b7d7d5f593f2d32fddf9f6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/39f9bd880abac6068bedb24a4e16e7bd26bf92da"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/425eea395f1f5ae349fb55f7fe51d833a5324bfe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/549825602e3e6449927ca1ea1a08fd89868439df"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/936a23293bbb3332bdf4cdb9c1496e80cb0bc2c8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac5305e5d227b9af3aae25fa83380d3ff0225b73"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e29661611e6e71027159a3140e818ef3b99f32dd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.