{"id":"CVE-2023-53213","summary":"wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()\n\nFix a slab-out-of-bounds read that occurs in kmemdup() called from\nbrcmf_get_assoc_ies().\nThe bug could occur when assoc_info-\u003ereq_len, data from a URB provided\nby a USB device, is bigger than the size of buffer which is defined as\nWL_EXTRA_BUF_MAX.\n\nAdd the size check for req_len/resp_len of assoc_info.\n\nFound by a modified version of syzkaller.\n\n[   46.592467][    T7] ==================================================================\n[   46.594687][    T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50\n[   46.596572][    T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7\n[   46.598575][    T7]\n[   46.599157][    T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G           O      5.14.0+ #145\n[   46.601333][    T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[   46.604360][    T7] Workqueue: events brcmf_fweh_event_worker\n[   46.605943][    T7] Call Trace:\n[   46.606584][    T7]  dump_stack_lvl+0x8e/0xd1\n[   46.607446][    T7]  print_address_description.constprop.0.cold+0x93/0x334\n[   46.608610][    T7]  ? kmemdup+0x3e/0x50\n[   46.609341][    T7]  kasan_report.cold+0x79/0xd5\n[   46.610151][    T7]  ? kmemdup+0x3e/0x50\n[   46.610796][    T7]  kasan_check_range+0x14e/0x1b0\n[   46.611691][    T7]  memcpy+0x20/0x60\n[   46.612323][    T7]  kmemdup+0x3e/0x50\n[   46.612987][    T7]  brcmf_get_assoc_ies+0x967/0xf60\n[   46.613904][    T7]  ? brcmf_notify_vif_event+0x3d0/0x3d0\n[   46.614831][    T7]  ? lock_chain_count+0x20/0x20\n[   46.615683][    T7]  ? mark_lock.part.0+0xfc/0x2770\n[   46.616552][    T7]  ? lock_chain_count+0x20/0x20\n[   46.617409][    T7]  ? mark_lock.part.0+0xfc/0x2770\n[   46.618244][    T7]  ? lock_chain_count+0x20/0x20\n[   46.619024][    T7]  brcmf_bss_connect_done.constprop.0+0x241/0x2e0\n[   46.620019][    T7]  ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0\n[   46.620818][    T7]  ? __lock_acquire+0x181f/0x5790\n[   46.621462][    T7]  brcmf_notify_connect_status+0x448/0x1950\n[   46.622134][    T7]  ? rcu_read_lock_bh_held+0xb0/0xb0\n[   46.622736][    T7]  ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0\n[   46.623390][    T7]  ? find_held_lock+0x2d/0x110\n[   46.623962][    T7]  ? brcmf_fweh_event_worker+0x19f/0xc60\n[   46.624603][    T7]  ? mark_held_locks+0x9f/0xe0\n[   46.625145][    T7]  ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0\n[   46.625871][    T7]  ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0\n[   46.626545][    T7]  brcmf_fweh_call_event_handler.isra.0+0x90/0x100\n[   46.627338][    T7]  brcmf_fweh_event_worker+0x557/0xc60\n[   46.627962][    T7]  ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100\n[   46.628736][    T7]  ? rcu_read_lock_sched_held+0xa1/0xd0\n[   46.629396][    T7]  ? rcu_read_lock_bh_held+0xb0/0xb0\n[   46.629970][    T7]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[   46.630649][    T7]  process_one_work+0x92b/0x1460\n[   46.631205][    T7]  ? pwq_dec_nr_in_flight+0x330/0x330\n[   46.631821][    T7]  ? rwlock_bug.part.0+0x90/0x90\n[   46.632347][    T7]  worker_thread+0x95/0xe00\n[   46.632832][    T7]  ? __kthread_parkme+0x115/0x1e0\n[   46.633393][    T7]  ? process_one_work+0x1460/0x1460\n[   46.633957][    T7]  kthread+0x3a1/0x480\n[   46.634369][    T7]  ? set_kthread_struct+0x120/0x120\n[   46.634933][    T7]  ret_from_fork+0x1f/0x30\n[   46.635431][    T7]\n[   46.635687][    T7] Allocated by task 7:\n[   46.636151][    T7]  kasan_save_stack+0x1b/0x40\n[   46.636628][    T7]  __kasan_kmalloc+0x7c/0x90\n[   46.637108][    T7]  kmem_cache_alloc_trace+0x19e/0x330\n[   46.637696][    T7]  brcmf_cfg80211_attach+0x4a0/0x4040\n[   46.638275][    T7]  brcmf_attach+0x389/0xd40\n[   46.638739][    T7]  brcmf_usb_probe+0x12de/0x1690\n[   46.639279][    T7]  usb_probe_interface+0x2aa/0x760\n[   46.639820][    T7]  really_probe+0x205/0xb70\n[   46.640342][    T7]  __driver_probe_device+0\n---truncated---","modified":"2026-04-02T09:43:48.784758Z","published":"2025-09-15T14:21:41.433Z","related":["SUSE-SU-2025:03613-1","SUSE-SU-2025:03614-1","SUSE-SU-2025:03615-1","SUSE-SU-2025:03626-1","SUSE-SU-2025:03628-1","SUSE-SU-2025:3716-1","SUSE-SU-2025:3761-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53213.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0da40e018fd034d87c9460123fa7f897b69fdee7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/21bee3e649d87f78fe8aef6ae02edd3d6f310fd0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/228186629ea970cc78b7d7d5f593f2d32fddf9f6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/39f9bd880abac6068bedb24a4e16e7bd26bf92da"},{"type":"WEB","url":"https://git.kernel.org/stable/c/425eea395f1f5ae349fb55f7fe51d833a5324bfe"},{"type":"WEB","url":"https://git.kernel.org/stable/c/549825602e3e6449927ca1ea1a08fd89868439df"},{"type":"WEB","url":"https://git.kernel.org/stable/c/936a23293bbb3332bdf4cdb9c1496e80cb0bc2c8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ac5305e5d227b9af3aae25fa83380d3ff0225b73"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e29661611e6e71027159a3140e818ef3b99f32dd"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53213.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53213"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cf2b448852abd47cee21007b8313fbf962bf3c9a"},{"fixed":"ac5305e5d227b9af3aae25fa83380d3ff0225b73"},{"fixed":"39f9bd880abac6068bedb24a4e16e7bd26bf92da"},{"fixed":"425eea395f1f5ae349fb55f7fe51d833a5324bfe"},{"fixed":"549825602e3e6449927ca1ea1a08fd89868439df"},{"fixed":"936a23293bbb3332bdf4cdb9c1496e80cb0bc2c8"},{"fixed":"e29661611e6e71027159a3140e818ef3b99f32dd"},{"fixed":"228186629ea970cc78b7d7d5f593f2d32fddf9f6"},{"fixed":"21bee3e649d87f78fe8aef6ae02edd3d6f310fd0"},{"fixed":"0da40e018fd034d87c9460123fa7f897b69fdee7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53213.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"}]}