{"id":"CVE-2022-50258","summary":"wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()\n\nThis patch fixes a stack-out-of-bounds read in brcmfmac that occurs\nwhen 'buf' that is not null-terminated is passed as an argument of\nstrsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware\nversion string by memcpy() in brcmf_fil_iovar_data_get().\nThe patch ensures buf is null-terminated.\n\nFound by a modified version of syzkaller.\n\n[   47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3\n[   47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available\n[   47.601565][ T1897] ==================================================================\n[   47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0\n[   47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897\n[   47.604336][ T1897]\n[   47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G           O      5.14.0+ #131\n[   47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[   47.606907][ T1897] Workqueue: usb_hub_wq hub_event\n[   47.607453][ T1897] Call Trace:\n[   47.607801][ T1897]  dump_stack_lvl+0x8e/0xd1\n[   47.608295][ T1897]  print_address_description.constprop.0.cold+0xf/0x334\n[   47.609009][ T1897]  ? strsep+0x1b2/0x1f0\n[   47.609434][ T1897]  ? strsep+0x1b2/0x1f0\n[   47.609863][ T1897]  kasan_report.cold+0x83/0xdf\n[   47.610366][ T1897]  ? strsep+0x1b2/0x1f0\n[   47.610882][ T1897]  strsep+0x1b2/0x1f0\n[   47.611300][ T1897]  ? brcmf_fil_iovar_data_get+0x3a/0xf0\n[   47.611883][ T1897]  brcmf_c_preinit_dcmds+0x995/0xc40\n[   47.612434][ T1897]  ? brcmf_c_set_joinpref_default+0x100/0x100\n[   47.613078][ T1897]  ? rcu_read_lock_sched_held+0xa1/0xd0\n[   47.613662][ T1897]  ? rcu_read_lock_bh_held+0xb0/0xb0\n[   47.614208][ T1897]  ? lock_acquire+0x19d/0x4e0\n[   47.614704][ T1897]  ? find_held_lock+0x2d/0x110\n[   47.615236][ T1897]  ? brcmf_usb_deq+0x1a7/0x260\n[   47.615741][ T1897]  ? brcmf_usb_rx_fill_all+0x5a/0xf0\n[   47.616288][ T1897]  brcmf_attach+0x246/0xd40\n[   47.616758][ T1897]  ? wiphy_new_nm+0x1703/0x1dd0\n[   47.617280][ T1897]  ? kmemdup+0x43/0x50\n[   47.617720][ T1897]  brcmf_usb_probe+0x12de/0x1690\n[   47.618244][ T1897]  ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n[   47.618901][ T1897]  usb_probe_interface+0x2aa/0x760\n[   47.619429][ T1897]  ? usb_probe_device+0x250/0x250\n[   47.619950][ T1897]  really_probe+0x205/0xb70\n[   47.620435][ T1897]  ? driver_allows_async_probing+0x130/0x130\n[   47.621048][ T1897]  __driver_probe_device+0x311/0x4b0\n[   47.621595][ T1897]  ? driver_allows_async_probing+0x130/0x130\n[   47.622209][ T1897]  driver_probe_device+0x4e/0x150\n[   47.622739][ T1897]  __device_attach_driver+0x1cc/0x2a0\n[   47.623287][ T1897]  bus_for_each_drv+0x156/0x1d0\n[   47.623796][ T1897]  ? bus_rescan_devices+0x30/0x30\n[   47.624309][ T1897]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[   47.624907][ T1897]  ? trace_hardirqs_on+0x46/0x160\n[   47.625437][ T1897]  __device_attach+0x23f/0x3a0\n[   47.625924][ T1897]  ? device_bind_driver+0xd0/0xd0\n[   47.626433][ T1897]  ? kobject_uevent_env+0x287/0x14b0\n[   47.627057][ T1897]  bus_probe_device+0x1da/0x290\n[   47.627557][ T1897]  device_add+0xb7b/0x1eb0\n[   47.628027][ T1897]  ? wait_for_completion+0x290/0x290\n[   47.628593][ T1897]  ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0\n[   47.629249][ T1897]  usb_set_configuration+0xf59/0x16f0\n[   47.629829][ T1897]  usb_generic_driver_probe+0x82/0xa0\n[   47.630385][ T1897]  usb_probe_device+0xbb/0x250\n[   47.630927][ T1897]  ? usb_suspend+0x590/0x590\n[   47.631397][ T1897]  really_probe+0x205/0xb70\n[   47.631855][ T1897]  ? driver_allows_async_probing+0x130/0x130\n[   47.632469][ T1897]  __driver_probe_device+0x311/0x4b0\n[   47.633002][ \n---truncated---","modified":"2026-04-02T08:28:21.490244Z","published":"2025-09-15T14:02:43.992Z","related":["SUSE-SU-2025:03613-1","SUSE-SU-2025:03614-1","SUSE-SU-2025:03615-1","SUSE-SU-2025:03626-1","SUSE-SU-2025:03628-1","SUSE-SU-2025:3716-1","SUSE-SU-2025:3761-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50258.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0a06cadcc2a0044e4a117cc0e61436fc3a0dad69"},{"type":"WEB","url":"https://git.kernel.org/stable/c/17dbe90e13f52848c460d253f15b765038ec6dc0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3a3a5e3f94068cd562d62a57da6983c8cd07d53c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/881f50d76c3892262730ddf5c894eb00310e736c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/89243a7b0ea19606ba1c2873c9d569026ccb344f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ba166e0ebdde3dfa833f0a3edaf2b2934d4a87f7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d481fd6064bf215d7c5068e15aa390c3b16c9cd0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d6ef66194bb4a6c18f5b9649bf62597909b040e4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50258.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50258"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0af29bf7c1ddf5f3c35577409de46ede5e8d7845"},{"fixed":"89243a7b0ea19606ba1c2873c9d569026ccb344f"},{"fixed":"d481fd6064bf215d7c5068e15aa390c3b16c9cd0"},{"fixed":"17dbe90e13f52848c460d253f15b765038ec6dc0"},{"fixed":"d6ef66194bb4a6c18f5b9649bf62597909b040e4"},{"fixed":"3a3a5e3f94068cd562d62a57da6983c8cd07d53c"},{"fixed":"881f50d76c3892262730ddf5c894eb00310e736c"},{"fixed":"ba166e0ebdde3dfa833f0a3edaf2b2934d4a87f7"},{"fixed":"0a06cadcc2a0044e4a117cc0e61436fc3a0dad69"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50258.json"}}],"schema_version":"1.7.5"}