CVE-2023-1380: 
Linux Kernel vulnerability analysis and mitigation

A slab-out-of-bound read vulnerability (CVE-2023-1380) was discovered in the Linux Kernel's Broadcom FullMAC USB WiFi driver (brcmfmac). The vulnerability was found in the brcmfgetassoc_ies function within drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c. The issue was discovered in March 2023 and affects various Linux kernel versions (MITRE CVE, Ubuntu Security).

The vulnerability occurs when associnfo->reqlen data, provided by a USB device through a URB, exceeds the size of the buffer defined as WLEXTRABUFMAX. The driver duplicates the data from cfg->extrabuf to conninfo->reqie using the potentially excessive associnfo->reqlen value, leading to an out-of-bounds read condition. The data then passes through cfg80211connectdone() and _cfg80211connectresult(), ultimately reaching nl80211sendconnectresult() where it forms netlink messages with the out-of-bounds data (Linux Wireless).

When successfully exploited, this vulnerability could lead to disclosure of sensitive information from kernel memory or cause a denial of service (system crash) on systems using the affected driver. The vulnerability has been assigned a CVSS score of 7.1 (High) (Ubuntu Security).

The vulnerability has been fixed in multiple Linux kernel versions including 4.14.315, 4.19.283, 5.4.243, 5.10.180, 5.15.110, 6.1.27, and 6.2.14. The fix involves adding size validation checks for reqlen/resplen of assoc_info to prevent the buffer overflow condition (Linux Wireless).