Date: Wed, 28 Aug 2019 13:50:53 +0800 From: huangwen <huangwenabc@...il.com> To: oss-security@...ts.openwall.com Subject: Linux kernel: three heap overflow in the marvell wifi driver Hi, There are three heap-based buffer overflows in marvell wifi chip driver in Linux kernel, allow local users to cause a denial of service(system crash) or possibly execute arbitrary code.The bugs can be triggered by sending crafted packet via netlink. Description ========== CVE-2019-14814:Heap Overflow in mwifiex_set_uap_rates() function of Marvell Wifi Driver in Linux kernel The problem is inside mwifiex_set_uap_rates() in drivers/net/wireless/marvell/mwifiex/uap_cmd.c. There are two memcpy calls in this function to copy WLAN_EID_SUPP_RATES element and WLAN_EID_EXT_SUPP_RATES element without checking length. The dst buffer bss_cfg->rates is a array of length MWIFIEX_SUPPORTED_RATES(14). The two elements in cfg80211_ap_settings are from user space. CVE-2019-14815: Heap Overflow in mwifiex_set_wmm_params() function of Marvell Wifi Driver in Linux kernel The problem is inside mwifiex_set_wmm_params() in drivers/net/wireless/marvell/mwifiex/uap_cmd.c. mwifiex_set_wmm_params() calls memcpy to copy WLAN_OUI_MICROSOFT element to bss_cfg->wmm_info without checking length. bss_cfg->wmm_info is struct mwifiex_types_wmm_info type with fixed len 24. CVE-2019-14816:Heap Overflow in mwifiex_update_vs_ie() function of Marvell Wifi Driver in Linux kernel The problem is inside mwifiex_update_vs_ie() in drivers/net/wireless/marvell/mwifiex/ie.c. mwifiex_set_mgmt_beacon_data_ies() parses beacon IEs, probe response IEs, association response IEs from cfg80211_ap_settings->beacon, will call mwifiex_update_vs_ie() twice for each IEs if there exists IEs. For beacon_ies as example, on the first call, mwifiex_update_vs_ie() alloc memory ie and then copy WLAN_OUI_MICROSOFT element to ie->ie_buffer, ie->ie_buffer is a array of length IEEE_MAX_IE_SIZE(256); on the Second call, mwifiex_update_vs_ie() copy WLAN_OUI_WFA elment to previous allocated ie->ie_buffer. If sum of length of the two elements is greater than IEEE_MAX_IE_SIZE, will cause buffer overflow. Patch ===== https://firstname.lastname@example.org/ Credit ========== This issue was discovered by huangwen of ADLab of Venustech
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.