CVE-2022-50551
📋 TL;DR
This CVE describes a shift-out-of-bounds vulnerability in the brcmfmac WiFi driver in the Linux kernel. An attacker could potentially cause a kernel panic or denial of service by providing a maliciously large chiprev value. Systems using Broadcom brcmfmac WiFi drivers with vulnerable kernel versions are affected.
💻 Affected Systems
- Linux kernel with brcmfmac driver
⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially requiring physical access to restart the system.
Likely Case
System crash or instability when connecting to malicious WiFi devices or processing corrupted firmware data.
If Mitigated
NULL pointer dereference handled gracefully by the driver, resulting in WiFi initialization failure but system remains stable.
🎯 Exploit Status
Exploitation requires ability to provide malicious chiprev value, likely through USB device emulation or firmware manipulation. Found via syzkaller fuzzing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 0b12d2aa264bac35bff9b5399bb162262b2b8949, 1db036d13e10809943c2dce553e2fa7fc9c6cd80, 4c8fc44c44b97854623c56363c359f711fc0b887, 579c9b9838e8a73f6e93ddece07972c241514dcc, 5b06a8a25eba07628313aa3c5496522eff97be53
Vendor Advisory: https://git.kernel.org/stable/c/0b12d2aa264bac35bff9b5399bb162262b2b8949
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable brcmfmac driver
linuxBlacklist or disable the vulnerable brcmfmac driver module
echo 'blacklist brcmfmac' >> /etc/modprobe.d/blacklist-brcmfmac.conf
update-initramfs -u
reboot
Restrict USB device access
linuxUse udev rules to block unauthorized USB WiFi devices
echo 'SUBSYSTEM=="usb", ATTR{idVendor}=="0a5c", ATTR{idProduct}=="*", MODE="0660", GROUP="trusted"' > /etc/udev/rules.d/99-broadcom-wifi.rules
udevadm control --reload-rules
🧯 If You Can't Patch
- Disable automatic USB device mounting and WiFi hardware
- Implement strict physical security controls for USB ports
- Monitor system logs for kernel panic or brcmfmac errors
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if brcmfmac module is loaded: lsmod | grep brcmfmac && uname -rCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is updated and check dmesg for brcmfmac initialization without errors📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- UBSAN shift-out-of-bounds warnings in dmesg
- brcmfmac driver failure during USB device initialization
Network Indicators:
- Unexpected USB WiFi device connections
- WiFi interface initialization failures
SIEM Query:
source="kernel" AND ("shift-out-of-bounds" OR "brcmfmac" AND (panic OR error))🔗 References
- https://git.kernel.org/stable/c/0b12d2aa264bac35bff9b5399bb162262b2b8949
- https://git.kernel.org/stable/c/1db036d13e10809943c2dce553e2fa7fc9c6cd80
- https://git.kernel.org/stable/c/4c8fc44c44b97854623c56363c359f711fc0b887
- https://git.kernel.org/stable/c/579c9b9838e8a73f6e93ddece07972c241514dcc
- https://git.kernel.org/stable/c/5b06a8a25eba07628313aa3c5496522eff97be53
- https://git.kernel.org/stable/c/81d17f6f3331f03c8eafdacea68ab773426c1e3c
- https://git.kernel.org/stable/c/87792567d9ed93fd336d2c3b8d7870f44e141e6d
- https://git.kernel.org/stable/c/9d2f70fa2c7cc6c73a420ff15682454782d3d6f6
- https://git.kernel.org/stable/c/bc45aa1911bf699b9905f12414e3c1879d6b784f
- https://git.kernel.org/stable/c/ffb589963df103caaf062081a32db0b9e1798660
