{"id":"CVE-2022-49740","summary":"wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads\n\nThis patch fixes slab-out-of-bounds reads in brcmfmac that occur in\nbrcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count\nvalue of channel specifications provided by the device is greater than\nthe length of 'list-\u003eelement[]', decided by the size of the 'list'\nallocated with kzalloc(). The patch adds checks that make the functions\nfree the buffer and return -EINVAL if that is the case. Note that the\nnegative return is handled by the caller, brcmf_setup_wiphybands() or\nbrcmf_cfg80211_attach().\n\nFound by a modified version of syzkaller.\n\nCrash Report from brcmf_construct_chaninfo():\n==================================================================\nBUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430\nRead of size 4 at addr ffff888115f24600 by task kworker/0:2/1896\n\nCPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G        W  O      5.14.0+ #132\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n dump_stack_lvl+0x57/0x7d\n print_address_description.constprop.0.cold+0x93/0x334\n kasan_report.cold+0x83/0xdf\n brcmf_setup_wiphybands+0x1238/0x1430\n brcmf_cfg80211_attach+0x2118/0x3fd0\n brcmf_attach+0x389/0xd40\n brcmf_usb_probe+0x12de/0x1690\n usb_probe_interface+0x25f/0x710\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_set_configuration+0x984/0x1770\n usb_generic_driver_probe+0x69/0x90\n usb_probe_device+0x9c/0x220\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_new_device.cold+0x463/0xf66\n hub_event+0x10d5/0x3330\n process_one_work+0x873/0x13e0\n worker_thread+0x8b/0xd10\n kthread+0x379/0x450\n ret_from_fork+0x1f/0x30\n\nAllocated by task 1896:\n kasan_save_stack+0x1b/0x40\n __kasan_kmalloc+0x7c/0x90\n kmem_cache_alloc_trace+0x19e/0x330\n brcmf_setup_wiphybands+0x290/0x1430\n brcmf_cfg80211_attach+0x2118/0x3fd0\n brcmf_attach+0x389/0xd40\n brcmf_usb_probe+0x12de/0x1690\n usb_probe_interface+0x25f/0x710\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_set_configuration+0x984/0x1770\n usb_generic_driver_probe+0x69/0x90\n usb_probe_device+0x9c/0x220\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_new_device.cold+0x463/0xf66\n hub_event+0x10d5/0x3330\n process_one_work+0x873/0x13e0\n worker_thread+0x8b/0xd10\n kthread+0x379/0x450\n ret_from_fork+0x1f/0x30\n\nThe buggy address belongs to the object at ffff888115f24000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 1536 bytes inside of\n 2048-byte region [ffff888115f24000, ffff888115f24800)\n\nMemory state around the buggy address:\n ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\u003effff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n                   ^\n ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n==================================================================\n\nCrash Report from brcmf_enable_bw40_2g():\n==========\n---truncated---","modified":"2026-04-11T12:44:28.212155Z","published":"2025-03-27T16:42:52.222Z","related":["SUSE-SU-2025:1293-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49740.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/4920ab131b2dbae7464b72bdcac465d070254209"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9cf5e99c1ae1a85286a76c9a970202750538394c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b2e412879595821ff1b5545cbed5f108fba7f5b6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e4991910f15013db72f6ec0db7038ea67a57052e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f06de1bb6d61f0c18b0213bbc6298960037f9d42"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49740.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49740"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d48200ba45dd2edfe6286abfc783a81a4a492e98"},{"fixed":"9cf5e99c1ae1a85286a76c9a970202750538394c"},{"fixed":"b2e412879595821ff1b5545cbed5f108fba7f5b6"},{"fixed":"e4991910f15013db72f6ec0db7038ea67a57052e"},{"fixed":"f06de1bb6d61f0c18b0213bbc6298960037f9d42"},{"fixed":"4920ab131b2dbae7464b72bdcac465d070254209"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49740.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.10.0"},{"fixed":"5.4.232"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.168"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.93"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49740.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"}]}