CVE-2022-49740

CVE-2022-49740 is a slab-out-of-bounds read vulnerability in the Linux kernel's brcmfmac WiFi driver, affecting functions brcmf_construct_chaninfo() and brcmf_enable_bw40_2g(). The issue arises when the count value of channel specifications provided by the device exceeds the length of the allocated 'list->element[]' buffer, which is sized based on the kzalloc() allocation in brcmf_setup_wiphybands() or brcmf_cfg80211_attach(). This leads to invalid memory reads, as detected by KASAN in crash reports during device initialization.

A local attacker with low privileges can exploit this vulnerability by connecting a malicious USB device supported by the brcmfmac driver, such as during USB enumeration in the usb_hub_wq workqueue. The malformed channel specification count triggers out-of-bounds reads, potentially allowing high confidentiality impact through memory disclosure and high availability impact via system crashes, with no integrity impact or scope change, as scored by CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (score 7.1). The vulnerability aligns with CWE-125 (Out-of-bounds Read).

Kernel patch commits referenced in advisories, such as those at git.kernel.org/stable/c/4920ab131b2dbae7464b72bdcac465d070254209 and others, mitigate the issue by adding checks in the affected functions to free the buffer and return -EINVAL if the count exceeds the allocated size. Callers like brcmf_setup_wiphybands() and brcmf_cfg80211_attach() handle the negative return appropriately. Systems should update to kernels including these stable backports.

The vulnerability was discovered by a modified version of the syzkaller fuzzer, with no evidence of real-world exploitation reported.