FKIE_CVE-2022-50258

Vulnerability from fkie_nvd - Published: 2025-09-15 14:15 - Updated: 2025-11-25 17:02
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds() This patch fixes a stack-out-of-bounds read in brcmfmac that occurs when 'buf' that is not null-terminated is passed as an argument of strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware version string by memcpy() in brcmf_fil_iovar_data_get(). The patch ensures buf is null-terminated. Found by a modified version of syzkaller. [ 47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3 [ 47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available [ 47.601565][ T1897] ================================================================== [ 47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0 [ 47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897 [ 47.604336][ T1897] [ 47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G O 5.14.0+ #131 [ 47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 47.606907][ T1897] Workqueue: usb_hub_wq hub_event [ 47.607453][ T1897] Call Trace: [ 47.607801][ T1897] dump_stack_lvl+0x8e/0xd1 [ 47.608295][ T1897] print_address_description.constprop.0.cold+0xf/0x334 [ 47.609009][ T1897] ? strsep+0x1b2/0x1f0 [ 47.609434][ T1897] ? strsep+0x1b2/0x1f0 [ 47.609863][ T1897] kasan_report.cold+0x83/0xdf [ 47.610366][ T1897] ? strsep+0x1b2/0x1f0 [ 47.610882][ T1897] strsep+0x1b2/0x1f0 [ 47.611300][ T1897] ? brcmf_fil_iovar_data_get+0x3a/0xf0 [ 47.611883][ T1897] brcmf_c_preinit_dcmds+0x995/0xc40 [ 47.612434][ T1897] ? brcmf_c_set_joinpref_default+0x100/0x100 [ 47.613078][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0 [ 47.613662][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 47.614208][ T1897] ? lock_acquire+0x19d/0x4e0 [ 47.614704][ T1897] ? find_held_lock+0x2d/0x110 [ 47.615236][ T1897] ? brcmf_usb_deq+0x1a7/0x260 [ 47.615741][ T1897] ? brcmf_usb_rx_fill_all+0x5a/0xf0 [ 47.616288][ T1897] brcmf_attach+0x246/0xd40 [ 47.616758][ T1897] ? wiphy_new_nm+0x1703/0x1dd0 [ 47.617280][ T1897] ? kmemdup+0x43/0x50 [ 47.617720][ T1897] brcmf_usb_probe+0x12de/0x1690 [ 47.618244][ T1897] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 [ 47.618901][ T1897] usb_probe_interface+0x2aa/0x760 [ 47.619429][ T1897] ? usb_probe_device+0x250/0x250 [ 47.619950][ T1897] really_probe+0x205/0xb70 [ 47.620435][ T1897] ? driver_allows_async_probing+0x130/0x130 [ 47.621048][ T1897] __driver_probe_device+0x311/0x4b0 [ 47.621595][ T1897] ? driver_allows_async_probing+0x130/0x130 [ 47.622209][ T1897] driver_probe_device+0x4e/0x150 [ 47.622739][ T1897] __device_attach_driver+0x1cc/0x2a0 [ 47.623287][ T1897] bus_for_each_drv+0x156/0x1d0 [ 47.623796][ T1897] ? bus_rescan_devices+0x30/0x30 [ 47.624309][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 47.624907][ T1897] ? trace_hardirqs_on+0x46/0x160 [ 47.625437][ T1897] __device_attach+0x23f/0x3a0 [ 47.625924][ T1897] ? device_bind_driver+0xd0/0xd0 [ 47.626433][ T1897] ? kobject_uevent_env+0x287/0x14b0 [ 47.627057][ T1897] bus_probe_device+0x1da/0x290 [ 47.627557][ T1897] device_add+0xb7b/0x1eb0 [ 47.628027][ T1897] ? wait_for_completion+0x290/0x290 [ 47.628593][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0 [ 47.629249][ T1897] usb_set_configuration+0xf59/0x16f0 [ 47.629829][ T1897] usb_generic_driver_probe+0x82/0xa0 [ 47.630385][ T1897] usb_probe_device+0xbb/0x250 [ 47.630927][ T1897] ? usb_suspend+0x590/0x590 [ 47.631397][ T1897] really_probe+0x205/0xb70 [ 47.631855][ T1897] ? driver_allows_async_probing+0x130/0x130 [ 47.632469][ T1897] __driver_probe_device+0x311/0x4b0 [ 47.633002][ ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0a06cadcc2a0044e4a117cc0e61436fc3a0dad69Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/17dbe90e13f52848c460d253f15b765038ec6dc0Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3a3a5e3f94068cd562d62a57da6983c8cd07d53cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/881f50d76c3892262730ddf5c894eb00310e736cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/89243a7b0ea19606ba1c2873c9d569026ccb344fPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ba166e0ebdde3dfa833f0a3edaf2b2934d4a87f7Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d481fd6064bf215d7c5068e15aa390c3b16c9cd0Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d6ef66194bb4a6c18f5b9649bf62597909b040e4Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C56CFB26-8D6C-4A3D-99C5-DA43FA59DB77",
              "versionEndExcluding": "4.14.308",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C902FC54-DDBD-4DA6-BFEF-26889A267464",
              "versionEndExcluding": "4.19.276",
              "versionStartIncluding": "4.15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "13DD5E68-8CB4-46EE-9A8F-C7F6C1A84430",
              "versionEndExcluding": "5.4.235",
              "versionStartIncluding": "4.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4D810CFB-B7C5-493C-B98A-0D5F0D8A47B6",
              "versionEndExcluding": "5.10.173",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5B8B2AC9-2F31-4A0F-96F5-7E26B50B27BB",
              "versionEndExcluding": "5.15.99",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0FD95FDA-6525-4B13-B3FB-49D9995FD8ED",
              "versionEndExcluding": "6.1.16",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "88C67289-22AD-4CA9-B202-5F5A80E5BA4B",
              "versionEndExcluding": "6.2.3",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()\n\nThis patch fixes a stack-out-of-bounds read in brcmfmac that occurs\nwhen \u0027buf\u0027 that is not null-terminated is passed as an argument of\nstrsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware\nversion string by memcpy() in brcmf_fil_iovar_data_get().\nThe patch ensures buf is null-terminated.\n\nFound by a modified version of syzkaller.\n\n[   47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3\n[   47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available\n[   47.601565][ T1897] ==================================================================\n[   47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0\n[   47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897\n[   47.604336][ T1897]\n[   47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G           O      5.14.0+ #131\n[   47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[   47.606907][ T1897] Workqueue: usb_hub_wq hub_event\n[   47.607453][ T1897] Call Trace:\n[   47.607801][ T1897]  dump_stack_lvl+0x8e/0xd1\n[   47.608295][ T1897]  print_address_description.constprop.0.cold+0xf/0x334\n[   47.609009][ T1897]  ? strsep+0x1b2/0x1f0\n[   47.609434][ T1897]  ? strsep+0x1b2/0x1f0\n[   47.609863][ T1897]  kasan_report.cold+0x83/0xdf\n[   47.610366][ T1897]  ? strsep+0x1b2/0x1f0\n[   47.610882][ T1897]  strsep+0x1b2/0x1f0\n[   47.611300][ T1897]  ? brcmf_fil_iovar_data_get+0x3a/0xf0\n[   47.611883][ T1897]  brcmf_c_preinit_dcmds+0x995/0xc40\n[   47.612434][ T1897]  ? brcmf_c_set_joinpref_default+0x100/0x100\n[   47.613078][ T1897]  ? rcu_read_lock_sched_held+0xa1/0xd0\n[   47.613662][ T1897]  ? rcu_read_lock_bh_held+0xb0/0xb0\n[   47.614208][ T1897]  ? lock_acquire+0x19d/0x4e0\n[   47.614704][ T1897]  ? find_held_lock+0x2d/0x110\n[   47.615236][ T1897]  ? brcmf_usb_deq+0x1a7/0x260\n[   47.615741][ T1897]  ? brcmf_usb_rx_fill_all+0x5a/0xf0\n[   47.616288][ T1897]  brcmf_attach+0x246/0xd40\n[   47.616758][ T1897]  ? wiphy_new_nm+0x1703/0x1dd0\n[   47.617280][ T1897]  ? kmemdup+0x43/0x50\n[   47.617720][ T1897]  brcmf_usb_probe+0x12de/0x1690\n[   47.618244][ T1897]  ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n[   47.618901][ T1897]  usb_probe_interface+0x2aa/0x760\n[   47.619429][ T1897]  ? usb_probe_device+0x250/0x250\n[   47.619950][ T1897]  really_probe+0x205/0xb70\n[   47.620435][ T1897]  ? driver_allows_async_probing+0x130/0x130\n[   47.621048][ T1897]  __driver_probe_device+0x311/0x4b0\n[   47.621595][ T1897]  ? driver_allows_async_probing+0x130/0x130\n[   47.622209][ T1897]  driver_probe_device+0x4e/0x150\n[   47.622739][ T1897]  __device_attach_driver+0x1cc/0x2a0\n[   47.623287][ T1897]  bus_for_each_drv+0x156/0x1d0\n[   47.623796][ T1897]  ? bus_rescan_devices+0x30/0x30\n[   47.624309][ T1897]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[   47.624907][ T1897]  ? trace_hardirqs_on+0x46/0x160\n[   47.625437][ T1897]  __device_attach+0x23f/0x3a0\n[   47.625924][ T1897]  ? device_bind_driver+0xd0/0xd0\n[   47.626433][ T1897]  ? kobject_uevent_env+0x287/0x14b0\n[   47.627057][ T1897]  bus_probe_device+0x1da/0x290\n[   47.627557][ T1897]  device_add+0xb7b/0x1eb0\n[   47.628027][ T1897]  ? wait_for_completion+0x290/0x290\n[   47.628593][ T1897]  ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0\n[   47.629249][ T1897]  usb_set_configuration+0xf59/0x16f0\n[   47.629829][ T1897]  usb_generic_driver_probe+0x82/0xa0\n[   47.630385][ T1897]  usb_probe_device+0xbb/0x250\n[   47.630927][ T1897]  ? usb_suspend+0x590/0x590\n[   47.631397][ T1897]  really_probe+0x205/0xb70\n[   47.631855][ T1897]  ? driver_allows_async_probing+0x130/0x130\n[   47.632469][ T1897]  __driver_probe_device+0x311/0x4b0\n[   47.633002][ \n---truncated---"
    }
  ],
  "id": "CVE-2022-50258",
  "lastModified": "2025-11-25T17:02:11.130",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-09-15T14:15:36.617",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/0a06cadcc2a0044e4a117cc0e61436fc3a0dad69"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/17dbe90e13f52848c460d253f15b765038ec6dc0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/3a3a5e3f94068cd562d62a57da6983c8cd07d53c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/881f50d76c3892262730ddf5c894eb00310e736c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/89243a7b0ea19606ba1c2873c9d569026ccb344f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ba166e0ebdde3dfa833f0a3edaf2b2934d4a87f7"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/d481fd6064bf215d7c5068e15aa390c3b16c9cd0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/d6ef66194bb4a6c18f5b9649bf62597909b040e4"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.