CVE-2023-53213

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: slab-out-of-bounds read in brcmfgetassoc_ies()

Fix a slab-out-of-bounds read that occurs in kmemdup() called from brcmfgetassocies(). The bug could occur when associnfo->reqlen, data from a URB provided by a USB device, is bigger than the size of buffer which is defined as WLEXTRABUFMAX.

Add the size check for reqlen/resplen of assoc_info.

Found by a modified version of syzkaller.

[ 46.592467][ T7] ================================================================== [ 46.594687][ T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50 [ 46.596572][ T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7 [ 46.598575][ T7] [ 46.599157][ T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #145 [ 46.601333][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 46.604360][ T7] Workqueue: events brcmffweheventworker [ 46.605943][ T7] Call Trace: [ 46.606584][ T7] dumpstacklvl+0x8e/0xd1 [ 46.607446][ T7] printaddressdescription.constprop.0.cold+0x93/0x334 [ 46.608610][ T7] ? kmemdup+0x3e/0x50 [ 46.609341][ T7] kasanreport.cold+0x79/0xd5 [ 46.610151][ T7] ? kmemdup+0x3e/0x50 [ 46.610796][ T7] kasancheckrange+0x14e/0x1b0 [ 46.611691][ T7] memcpy+0x20/0x60 [ 46.612323][ T7] kmemdup+0x3e/0x50 [ 46.612987][ T7] brcmfgetassocies+0x967/0xf60 [ 46.613904][ T7] ? brcmfnotifyvifevent+0x3d0/0x3d0 [ 46.614831][ T7] ? lockchaincount+0x20/0x20 [ 46.615683][ T7] ? marklock.part.0+0xfc/0x2770 [ 46.616552][ T7] ? lockchaincount+0x20/0x20 [ 46.617409][ T7] ? marklock.part.0+0xfc/0x2770 [ 46.618244][ T7] ? lockchaincount+0x20/0x20 [ 46.619024][ T7] brcmfbssconnectdone.constprop.0+0x241/0x2e0 [ 46.620019][ T7] ? brcmfparseconfiguresecurity.isra.0+0x2a0/0x2a0 [ 46.620818][ T7] ? __lockacquire+0x181f/0x5790 [ 46.621462][ T7] brcmfnotifyconnectstatus+0x448/0x1950 [ 46.622134][ T7] ? rcureadlockbhheld+0xb0/0xb0 [ 46.622736][ T7] ? brcmfcfg80211joinibss+0x7b0/0x7b0 [ 46.623390][ T7] ? findheldlock+0x2d/0x110 [ 46.623962][ T7] ? brcmffweheventworker+0x19f/0xc60 [ 46.624603][ T7] ? markheldlocks+0x9f/0xe0 [ 46.625145][ T7] ? lockdephardirqsonprepare+0x3e0/0x3e0 [ 46.625871][ T7] ? brcmfcfg80211joinibss+0x7b0/0x7b0 [ 46.626545][ T7] brcmffwehcalleventhandler.isra.0+0x90/0x100 [ 46.627338][ T7] brcmffweheventworker+0x557/0xc60 [ 46.627962][ T7] ? brcmffwehcalleventhandler.isra.0+0x100/0x100 [ 46.628736][ T7] ? rcureadlockschedheld+0xa1/0xd0 [ 46.629396][ T7] ? rcureadlockbhheld+0xb0/0xb0 [ 46.629970][ T7] ? lockdephardirqsonprepare+0x273/0x3e0 [ 46.630649][ T7] processonework+0x92b/0x1460 [ 46.631205][ T7] ? pwqdecnrinflight+0x330/0x330 [ 46.631821][ T7] ? rwlockbug.part.0+0x90/0x90 [ 46.632347][ T7] workerthread+0x95/0xe00 [ 46.632832][ T7] ? __kthreadparkme+0x115/0x1e0 [ 46.633393][ T7] ? processonework+0x1460/0x1460 [ 46.633957][ T7] kthread+0x3a1/0x480 [ 46.634369][ T7] ? setkthreadstruct+0x120/0x120 [ 46.634933][ T7] retfromfork+0x1f/0x30 [ 46.635431][ T7] [ 46.635687][ T7] Allocated by task 7: [ 46.636151][ T7] kasansave_stack+0x1b/0x40 [ 46.636628][ T7] __kasankmalloc+0x7c/0x90 [ 46.637108][ T7] kmemcachealloctrace+0x19e/0x330 [ 46.637696][ T7] brcmfcfg80211attach+0x4a0/0x4040 [ 46.638275][ T7] brcmfattach+0x389/0xd40 [ 46.638739][ T7] brcmfusbprobe+0x12de/0x1690 [ 46.639279][ T7] usbprobeinterface+0x2aa/0x760 [ 46.639820][ T7] reallyprobe+0x205/0xb70 [ 46.640342][ T7] __driverprobedevice+0 ---truncated---