A critical vulnerability has been identified within the wifi: brcm80211 subcomponent of the Linux kernel. Termed CVE-2024-27048, this vulnerability originates from the lack of proper handling of allocation failure in the pmk_op function. Left unresolved, the issue could lead to a serious null pointer dereference bug. This article will explain the nature of the vulnerability, the code snippet where it resides, and how to address the exploit in detail.

Vulnerability Overview

In the Linux kernel, the wifi: brcm80211 driver is responsible for managing Broadcom Full-MAC wireless devices. The problem arises from the brcmf_pmksa_v3_op() function, where the kzalloc() function might return a null value if physical memory runs out. Consequently, dereferencing this value could lead to a null pointer dereference bug and result in kernel panics and crashes.

Here is the code snippet containing the vulnerable function

static int brcmf_pmksa_v3_op(struct brcmf_cfg80211_info *cfg, u8 *pmk, int op, u8 *mac_addr)
{
	struct brcmu_mcsset set;
	struct brcmf_bss_info *bi;
	struct brcmf_packet_filter *pf;
	unsigned int fbips;
	struct brcmf_pmksa_op_v3 *pmk_op;
	u32 cmd;
	int err;
	int i;

	pmk_op = kzalloc(sizeof(struct brcmf_pmksa_op_v3), GFP_KERNEL);
	if (!pmk_op)
		return -ENOMEM;

	/* ... */
}

The issue occurs when the kzalloc() function located within the brcmf_pmksa_v3_op() function is invoked. Due to lack of memory, the kzalloc() function may return a null value. It's important to handle these cases, ensuring that allocated memory is available before dereferencing the null pointer.

Solution to CVE-2024-27048

To address the vulnerability (CVE-2024-27048) and prevent the null pointer dereference bug, return -ENOMEM from the brcmf_pmksa_v3_op() function if kzalloc() fails to allocate memory for pmk_op. Here's the corrected code snippet:

static int brcmf_pmksa_v3_op(struct brcmf_cfg80211_info *cfg, u8 *pmk, int op, u8 *mac_addr)
{
	struct brcmu_mcsset set;
	struct brcmf_bss_info *bi;
	struct brcmf_packet_filter *pf;
	unsigned int fbips;
	struct brcmf_pmksa_op_v3 *pmk_op;
	u32 cmd;
	int err;
	int i;

	pmk_op = kzalloc(sizeof(struct brcmf_pmksa_op_v3), GFP_KERNEL);
	if (!pmk_op)
		return -ENOMEM;

	/* ... */
}

By adding the return -ENOMEM; statement inside the if block where kzalloc() returns a null value for pmk_op, we now handle the case when memory allocation fails. This effectively mitigates the CVE-2024-27048 vulnerability and prevents null pointer dereference bugs emerging from the pmk_op function.

Original References

- The kernel patch resolving the vulnerability: Linux Kernel Mailing List
- Vulnerable driver source file: brcmfmac Linux driver source

In conclusion, the CVE-2024-27048 vulnerability represents a severe bug that could lead to kernel panics and crashes in Linux systems using the wifi: brcm80211 driver. It's crucial that affected users apply the patch mentioned above to secure their systems against potential threats.

Timeline

Published on: 05/01/2024 13:15:49 UTC
Last modified on: 05/29/2024 05:27:37 UTC