CVE-2022-50258

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmfcpreinit_dcmds()

This patch fixes a stack-out-of-bounds read in brcmfmac that occurs when 'buf' that is not null-terminated is passed as an argument of strsep() in brcmfcpreinitdcmds(). This buffer is filled with a firmware version string by memcpy() in brcmffiliovardata_get(). The patch ensures buf is null-terminated.

Found by a modified version of syzkaller.

[ 47.569679][ T1897] brcmfmac: brcmffwallocrequest: using brcm/brcmfmac43236b for chip BCM43236/3 [ 47.582839][ T1897] brcmfmac: brcmfcprocessclmblob: no clmblob available (err=-2), device may have limited channels available [ 47.601565][ T1897] ================================================================== [ 47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0 [ 47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897 [ 47.604336][ T1897] [ 47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G O 5.14.0+ #131 [ 47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 47.606907][ T1897] Workqueue: usbhubwq hubevent [ 47.607453][ T1897] Call Trace: [ 47.607801][ T1897] dumpstacklvl+0x8e/0xd1 [ 47.608295][ T1897] printaddressdescription.constprop.0.cold+0xf/0x334 [ 47.609009][ T1897] ? strsep+0x1b2/0x1f0 [ 47.609434][ T1897] ? strsep+0x1b2/0x1f0 [ 47.609863][ T1897] kasanreport.cold+0x83/0xdf [ 47.610366][ T1897] ? strsep+0x1b2/0x1f0 [ 47.610882][ T1897] strsep+0x1b2/0x1f0 [ 47.611300][ T1897] ? brcmffiliovardataget+0x3a/0xf0 [ 47.611883][ T1897] brcmfcpreinitdcmds+0x995/0xc40 [ 47.612434][ T1897] ? brcmfcsetjoinprefdefault+0x100/0x100 [ 47.613078][ T1897] ? rcureadlockschedheld+0xa1/0xd0 [ 47.613662][ T1897] ? rcureadlockbhheld+0xb0/0xb0 [ 47.614208][ T1897] ? lockacquire+0x19d/0x4e0 [ 47.614704][ T1897] ? findheldlock+0x2d/0x110 [ 47.615236][ T1897] ? brcmfusbdeq+0x1a7/0x260 [ 47.615741][ T1897] ? brcmfusbrxfillall+0x5a/0xf0 [ 47.616288][ T1897] brcmfattach+0x246/0xd40 [ 47.616758][ T1897] ? wiphynewnm+0x1703/0x1dd0 [ 47.617280][ T1897] ? kmemdup+0x43/0x50 [ 47.617720][ T1897] brcmfusbprobe+0x12de/0x1690 [ 47.618244][ T1897] ? brcmfusbdevqinit.constprop.0+0x470/0x470 [ 47.618901][ T1897] usbprobeinterface+0x2aa/0x760 [ 47.619429][ T1897] ? usbprobedevice+0x250/0x250 [ 47.619950][ T1897] reallyprobe+0x205/0xb70 [ 47.620435][ T1897] ? driverallowsasync_probing+0x130/0x130 [ 47.621048][ T1897] __driverprobedevice+0x311/0x4b0 [ 47.621595][ T1897] ? driverallowsasyncprobing+0x130/0x130 [ 47.622209][ T1897] driverprobe_device+0x4e/0x150 [ 47.622739][ T1897] __deviceattachdriver+0x1cc/0x2a0 [ 47.623287][ T1897] busforeachdrv+0x156/0x1d0 [ 47.623796][ T1897] ? busrescandevices+0x30/0x30 [ 47.624309][ T1897] ? lockdephardirqsonprepare+0x273/0x3e0 [ 47.624907][ T1897] ? tracehardirqson+0x46/0x160 [ 47.625437][ T1897] __deviceattach+0x23f/0x3a0 [ 47.625924][ T1897] ? devicebinddriver+0xd0/0xd0 [ 47.626433][ T1897] ? kobjectueventenv+0x287/0x14b0 [ 47.627057][ T1897] busprobedevice+0x1da/0x290 [ 47.627557][ T1897] deviceadd+0xb7b/0x1eb0 [ 47.628027][ T1897] ? waitforcompletion+0x290/0x290 [ 47.628593][ T1897] ? __fwdevlinklinktosuppliers+0x5a0/0x5a0 [ 47.629249][ T1897] usbsetconfiguration+0xf59/0x16f0 [ 47.629829][ T1897] usbgenericdriverprobe+0x82/0xa0 [ 47.630385][ T1897] usbprobedevice+0xbb/0x250 [ 47.630927][ T1897] ? usbsuspend+0x590/0x590 [ 47.631397][ T1897] reallyprobe+0x205/0xb70 [ 47.631855][ T1897] ? driverallowsasyncprobing+0x130/0x130 [ 47.632469][ T1897] __driverprobedevice+0x311/0x4b0 [ 47.633002][ ---truncated---