CVE-2023-1380: Slab-out-of-bound read in brcmf_get_assoc_ies leads to Denial of Service in the Linux Kernel

A recent vulnerability, identified as CVE-2023-1380, was discovered in the Linux Kernel. This security flaw exists due to an insecure handling of assoc_info->req_len data in the brcmf_get_assoc_ies function, leading to a slab-out-of-bound read problem. The affected code can be found in the cfg80211.c file, which is part of the Broadcom brcm80211 wireless driver. If exploited, this vulnerability could lead to denial(service) tacking on the targeted devices.

Point of Interest

The kernel has a critical function called brcmf_get_assoc_ies(), which can be found at drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c. This function is responsible for obtaining_assoc_ies() in the Linux Kernel. The vulnerability lies in how this function handles assoc_info->req_len data when it is larger than the size of the buffer, defined as WL_EXTRA_BUF_MAX.

The vulnerable code snippet is shown below

static s32 brcmf_get_assoc_ies(struct brcmf_if *ifp)
{
...
if (assoc_info->req_len > WL_EXTRA_BUF_MAX) {
   err = -ENOMEM;
   goto exit;
}
req_ie_len = le32_to_cpu(assoc_info->req_len);
}

Technical Analysis

When assoc_info->req_len is greater than the WL_EXTRA_BUF_MAX, the function returns -ENOMEM, but does not terminate properly and continues processing. As a result, the slab memory area becomes readable beyond its bounds, leading to a potential denial of service.

Exploit Details

An attacker could exploit this vulnerability to cause a denial of service by sending a specifically crafted packet to a vulnerable device, causing the assoc_info->req_len data to become larger than the buffer size defined by WL_EXTRA_BUF_MAX.

Mitigation Measures

It's crucial to apply any security patches released by the Linux Kernel development team or relevant distribution maintainers. In this case, one possible mitigation is to modify the vulnerable code to properly handle such errors, as shown below:

static s32 brcmf_get_assoc_ies(struct brcmf_if *ifp)
{
...
if (assoc_info->req_len > WL_EXTRA_BUF_MAX) {
   err = -ENOMEM;
   goto exit;
}
req_ie_len = le32_to_cpu(assoc_info->req_len);
goto success;
...

exit:
	kfree(assoc_info);
	kfree(req_ie_setbuf);
	kfree(resp_ie_setbuf);
success:
	return err;
}

In the above code, the function would jump to the label 'success' just above the 'return err;' statement. This ensures that the function returns the appropriate error code and avoids the slab-out-of-bound read.

Original References

- CWE (Common Weakness Enumeration) page of this issue: https://cwe.mitre.org/data/definitions/787.html
- Linux Kernel git source code: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c

Conclusion

CVE-2023-1380 is a critical vulnerability located in the brcmf_get_assoc_ies() function of the Linux Kernel. A successful exploitation of this bug could lead to a denial-of-service attack on the affected device. It is of utmost importance to keep systems updated with the latest security patches and take necessary mitigation measures, such as modifying the vulnerable code, to prevent any potential exploitation.

Timeline

Published on: 03/27/2023 21:15:00 UTC
Last modified on: 06/22/2023 15:15:00 UTC