In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads

This patch fixes slab-out-of-bounds reads in brcmfmac that occur in brcmfconstructchaninfo() and brcmfenablebw402g() when the count value of channel specifications provided by the device is greater than the length of 'list->element[]', decided by the size of the 'list' allocated with kzalloc(). The patch adds checks that make the functions free the buffer and return -EINVAL if that is the case. Note that the negative return is handled by the caller, brcmfsetupwiphybands() or brcmfcfg80211_attach().

Found by a modified version of syzkaller.

Crash Report from brcmfconstructchaninfo():

BUG: KASAN: slab-out-of-bounds in brcmfsetupwiphybands+0x1238/0x1430 Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896

CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: usbhubwq hubevent Call Trace: dumpstacklvl+0x57/0x7d printaddressdescription.constprop.0.cold+0x93/0x334 kasanreport.cold+0x83/0xdf brcmfsetupwiphybands+0x1238/0x1430 brcmfcfg80211attach+0x2118/0x3fd0 brcmfattach+0x389/0xd40 brcmfusbprobe+0x12de/0x1690 usbprobeinterface+0x25f/0x710 reallyprobe+0x1be/0xa90 _driverprobedevice+0x2ab/0x460 driverprobedevice+0x49/0x120 _deviceattachdriver+0x18a/0x250 busforeachdrv+0x123/0x1a0 _deviceattach+0x207/0x330 busprobedevice+0x1a2/0x260 deviceadd+0xa61/0x1ce0 usbsetconfiguration+0x984/0x1770 usbgenericdriverprobe+0x69/0x90 usbprobedevice+0x9c/0x220 reallyprobe+0x1be/0xa90 _driverprobedevice+0x2ab/0x460 driverprobedevice+0x49/0x120 _deviceattachdriver+0x18a/0x250 busforeachdrv+0x123/0x1a0 _deviceattach+0x207/0x330 busprobedevice+0x1a2/0x260 deviceadd+0xa61/0x1ce0 usbnewdevice.cold+0x463/0xf66 hubevent+0x10d5/0x3330 processonework+0x873/0x13e0 workerthread+0x8b/0xd10 kthread+0x379/0x450 retfromfork+0x1f/0x30

Allocated by task 1896: kasansavestack+0x1b/0x40 _kasankmalloc+0x7c/0x90 kmemcachealloctrace+0x19e/0x330 brcmfsetupwiphybands+0x290/0x1430 brcmfcfg80211attach+0x2118/0x3fd0 brcmfattach+0x389/0xd40 brcmfusbprobe+0x12de/0x1690 usbprobeinterface+0x25f/0x710 reallyprobe+0x1be/0xa90 _driverprobedevice+0x2ab/0x460 driverprobedevice+0x49/0x120 _deviceattachdriver+0x18a/0x250 busforeachdrv+0x123/0x1a0 _deviceattach+0x207/0x330 busprobedevice+0x1a2/0x260 deviceadd+0xa61/0x1ce0 usbsetconfiguration+0x984/0x1770 usbgenericdriverprobe+0x69/0x90 usbprobedevice+0x9c/0x220 reallyprobe+0x1be/0xa90 _driverprobedevice+0x2ab/0x460 driverprobedevice+0x49/0x120 _deviceattachdriver+0x18a/0x250 busforeachdrv+0x123/0x1a0 _deviceattach+0x207/0x330 busprobedevice+0x1a2/0x260 deviceadd+0xa61/0x1ce0 usbnewdevice.cold+0x463/0xf66 hubevent+0x10d5/0x3330 processonework+0x873/0x13e0 workerthread+0x8b/0xd10 kthread+0x379/0x450 retfrom_fork+0x1f/0x30

The buggy address belongs to the object at ffff888115f24000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1536 bytes inside of 2048-byte region [ffff888115f24000, ffff888115f24800)

Memory state around the buggy address: ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

Crash Report from brcmfenablebw40_2g():

---truncated---