CVE-2022-49740

27.03.2025, 17:15

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads

This patch fixes slab-out-of-bounds reads in brcmfmac that occur in
brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count
value of channel specifications provided by the device is greater than
the length of 'list->element[]', decided by the size of the 'list'
allocated with kzalloc(). The patch adds checks that make the functions
free the buffer and return -EINVAL if that is the case. Note that the
negative return is handled by the caller, brcmf_setup_wiphybands() or
brcmf_cfg80211_attach().

Found by a modified version of syzkaller.

Crash Report from brcmf_construct_chaninfo():
==================================================================
BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430
Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896

CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G        W  O      5.14.0+ #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
 dump_stack_lvl+0x57/0x7d
 print_address_description.constprop.0.cold+0x93/0x334
 kasan_report.cold+0x83/0xdf
 brcmf_setup_wiphybands+0x1238/0x1430
 brcmf_cfg80211_attach+0x2118/0x3fd0
 brcmf_attach+0x389/0xd40
 brcmf_usb_probe+0x12de/0x1690
 usb_probe_interface+0x25f/0x710
 really_probe+0x1be/0xa90
 __driver_probe_device+0x2ab/0x460
 driver_probe_device+0x49/0x120
 __device_attach_driver+0x18a/0x250
 bus_for_each_drv+0x123/0x1a0
 __device_attach+0x207/0x330
 bus_probe_device+0x1a2/0x260
 device_add+0xa61/0x1ce0
 usb_set_configuration+0x984/0x1770
 usb_generic_driver_probe+0x69/0x90
 usb_probe_device+0x9c/0x220
 really_probe+0x1be/0xa90
 __driver_probe_device+0x2ab/0x460
 driver_probe_device+0x49/0x120
 __device_attach_driver+0x18a/0x250
 bus_for_each_drv+0x123/0x1a0
 __device_attach+0x207/0x330
 bus_probe_device+0x1a2/0x260
 device_add+0xa61/0x1ce0
 usb_new_device.cold+0x463/0xf66
 hub_event+0x10d5/0x3330
 process_one_work+0x873/0x13e0
 worker_thread+0x8b/0xd10
 kthread+0x379/0x450
 ret_from_fork+0x1f/0x30

Allocated by task 1896:
 kasan_save_stack+0x1b/0x40
 __kasan_kmalloc+0x7c/0x90
 kmem_cache_alloc_trace+0x19e/0x330
 brcmf_setup_wiphybands+0x290/0x1430
 brcmf_cfg80211_attach+0x2118/0x3fd0
 brcmf_attach+0x389/0xd40
 brcmf_usb_probe+0x12de/0x1690
 usb_probe_interface+0x25f/0x710
 really_probe+0x1be/0xa90
 __driver_probe_device+0x2ab/0x460
 driver_probe_device+0x49/0x120
 __device_attach_driver+0x18a/0x250
 bus_for_each_drv+0x123/0x1a0
 __device_attach+0x207/0x330
 bus_probe_device+0x1a2/0x260
 device_add+0xa61/0x1ce0
 usb_set_configuration+0x984/0x1770
 usb_generic_driver_probe+0x69/0x90
 usb_probe_device+0x9c/0x220
 really_probe+0x1be/0xa90
 __driver_probe_device+0x2ab/0x460
 driver_probe_device+0x49/0x120
 __device_attach_driver+0x18a/0x250
 bus_for_each_drv+0x123/0x1a0
 __device_attach+0x207/0x330
 bus_probe_device+0x1a2/0x260
 device_add+0xa61/0x1ce0
 usb_new_device.cold+0x463/0xf66
 hub_event+0x10d5/0x3330
 process_one_work+0x873/0x13e0
 worker_thread+0x8b/0xd10
 kthread+0x379/0x450
 ret_from_fork+0x1f/0x30

The buggy address belongs to the object at ffff888115f24000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1536 bytes inside of
 2048-byte region [ffff888115f24000, ffff888115f24800)

Memory state around the buggy address:
 ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crash Report from brcmf_enable_bw40_2g():
==========
---truncated---

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Linux	CNA	---				---
CISA-ADP	ADP	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Vendor	Product	Version
linux	linux_kernel	𝑥 < 5.4.232
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.168
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.93
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.11

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.234-1 fixed
bookworm	6.1.129-1 fixed
bookworm (security)	6.1.128-1 fixed
trixie	6.12.19-1 fixed
sid	6.12.20-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

linux-allwinner-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

linux-aws-5.0

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-aws-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-aws-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-aws-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-aws-hwe

oracular	dne
noble	dne
jammy	dne
focal	dne
xenial	needs-triage

linux-azure

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	ignored
xenial	needs-triage
trusty	needs-triage

linux-azure-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-azure-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-azure-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-azure-edge

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-fde

oracular	dne
noble	dne
jammy	needs-triage
focal	ignored

linux-azure-fde-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-fde-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-fde-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-bluefield

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-gcp

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	ignored
xenial	needs-triage

linux-gcp-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-gcp-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-gcp-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gcp-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-gcp-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-gcp-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-gke

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	ignored

linux-gke-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gke-5.15

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gke-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gkeop

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	ignored

linux-gkeop-5.15

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gkeop-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-hwe

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	needs-triage

linux-hwe-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-hwe-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-hwe-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-6.11

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-hwe-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-hwe-edge

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored

linux-ibm

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	needs-triage

linux-ibm-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-ibm-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-intel-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-intel-iot-realtime

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-intel-iotg

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-intel-iotg-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-iot

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-kvm

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-lowlatency

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	dne

linux-lowlatency-hwe-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-lowlatency-hwe-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.11

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-lowlatency-hwe-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-lts-xenial

oracular	dne
noble	dne
jammy	dne
focal	dne
trusty	needs-triage

linux-nvidia

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	dne

linux-nvidia-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-nvidia-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-nvidia-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-nvidia-lowlatency

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-nvidia-tegra

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	dne

linux-nvidia-tegra-igx

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-oem

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oem-5.10

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.14

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.17

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-5.6

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-6.0

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.1

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.11

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-oem-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.8

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-oracle

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-oracle-5.0

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-oracle-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-oracle-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oracle-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-raspi

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage

linux-raspi-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-raspi-realtime

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-raspi2

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-realtime

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	dne

linux-riscv

oracular	needs-triage
noble	needs-triage
jammy	ignored
focal	ignored

linux-riscv-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-riscv-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-riscv-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-riscv-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-riscv-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-riscv-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-starfive-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-starfive-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-starfive-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-xilinx-zynqmp

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://git.kernel.org/stable/c/4920ab131b2dbae7464b72bdcac465d070254209

https://git.kernel.org/stable/c/9cf5e99c1ae1a85286a76c9a970202750538394c

https://git.kernel.org/stable/c/b2e412879595821ff1b5545cbed5f108fba7f5b6

https://git.kernel.org/stable/c/e4991910f15013db72f6ec0db7038ea67a57052e

https://git.kernel.org/stable/c/f06de1bb6d61f0c18b0213bbc6298960037f9d42