CVE-2023-53582

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds

Fix a stack-out-of-bounds read in brcmfmac that occurs when 'buf' that is not null-terminated is passed as an argument of strreplace() in brcmfcpreinitdcmds(). This buffer is filled with a CLM version string by memcpy() in brcmffiliovardata_get(). Ensure buf is null-terminated.

Found by a modified version of syzkaller.

[ 33.004414][ T1896] brcmfmac: brcmfcprocessclmblob: no clmblob available (err=-2), device may have limited channels available [ 33.013486][ T1896] brcmfmac: brcmfcpreinitdcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22 [ 33.021554][ T1896] ================================================================== [ 33.022379][ T1896] BUG: KASAN: stack-out-of-bounds in strreplace+0xf2/0x110 [ 33.023122][ T1896] Read of size 1 at addr ffffc90001d6efc8 by task kworker/0:2/1896 [ 33.023852][ T1896] [ 33.024096][ T1896] CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 [ 33.024927][ T1896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 33.026065][ T1896] Workqueue: usbhubwq hubevent [ 33.026581][ T1896] Call Trace: [ 33.026896][ T1896] dumpstacklvl+0x57/0x7d [ 33.027372][ T1896] printaddressdescription.constprop.0.cold+0xf/0x334 [ 33.028037][ T1896] ? strreplace+0xf2/0x110 [ 33.028403][ T1896] ? strreplace+0xf2/0x110 [ 33.028807][ T1896] kasanreport.cold+0x83/0xdf [ 33.029283][ T1896] ? strreplace+0xf2/0x110 [ 33.029666][ T1896] strreplace+0xf2/0x110 [ 33.029966][ T1896] brcmfcpreinitdcmds+0xab1/0xc40 [ 33.030351][ T1896] ? brcmfcsetjoinprefdefault+0x100/0x100 [ 33.030787][ T1896] ? rcureadlockschedheld+0xa1/0xd0 [ 33.031223][ T1896] ? rcureadlockbhheld+0xb0/0xb0 [ 33.031661][ T1896] ? lockacquire+0x19d/0x4e0 [ 33.032091][ T1896] ? findheldlock+0x2d/0x110 [ 33.032605][ T1896] ? brcmfusbdeq+0x1a7/0x260 [ 33.033087][ T1896] ? brcmfusbrxfillall+0x5a/0xf0 [ 33.033582][ T1896] brcmfattach+0x246/0xd40 [ 33.034022][ T1896] ? wiphynewnm+0x1476/0x1d50 [ 33.034383][ T1896] ? kmemdup+0x30/0x40 [ 33.034722][ T1896] brcmfusbprobe+0x12de/0x1690 [ 33.035223][ T1896] ? brcmfusbdevqinit.constprop.0+0x470/0x470 [ 33.035833][ T1896] usbprobeinterface+0x25f/0x710 [ 33.036315][ T1896] reallyprobe+0x1be/0xa90 [ 33.036656][ T1896] __driverprobedevice+0x2ab/0x460 [ 33.037026][ T1896] ? usbmatchid.part.0+0x88/0xc0 [ 33.037383][ T1896] driverprobedevice+0x49/0x120 [ 33.037790][ T1896] __deviceattachdriver+0x18a/0x250 [ 33.038300][ T1896] ? driverallowsasyncprobing+0x120/0x120 [ 33.038986][ T1896] busforeachdrv+0x123/0x1a0 [ 33.039906][ T1896] ? busrescandevices+0x20/0x20 [ 33.041412][ T1896] ? lockdephardirqsonprepare+0x273/0x3e0 [ 33.041861][ T1896] ? tracehardirqs_on+0x1c/0x120 [ 33.042330][ T1896] __deviceattach+0x207/0x330 [ 33.042664][ T1896] ? devicebinddriver+0xb0/0xb0 [ 33.043026][ T1896] ? kobjectueventenv+0x230/0x12c0 [ 33.043515][ T1896] busprobedevice+0x1a2/0x260 [ 33.043914][ T1896] deviceadd+0xa61/0x1ce0 [ 33.044227][ T1896] ? __mutexunlockslowpath+0xe7/0x660 [ 33.044891][ T1896] ? __fwdevlinklinktosuppliers+0x550/0x550 [ 33.045531][ T1896] usbsetconfiguration+0x984/0x1770 [ 33.046051][ T1896] ? kernfscreatelink+0x175/0x230 [ 33.046548][ T1896] usbgenericdriverprobe+0x69/0x90 [ 33.046931][ T1896] usbprobedevice+0x9c/0x220 [ 33.047434][ T1896] reallyprobe+0x1be/0xa90 [ 33.047760][ T1896] __driverprobedevice+0x2ab/0x460 [ 33.048134][ T1896] driverprobedevice+0x49/0x120 [ 33.048516][ T1896] _deviceattachdriver+0x18a/0x250 [ 33.048910][ T1896] ? driverallowsasyncprobing+0x120/0x120 ---truncated---