Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 22 Nov 2019 13:38:01 +0800
From: huangwen <huangwenabc@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: three buffer overflow in the marvell wifi driver

Hi,
There are three buffer overflows in marvell wifi chip driver in Linux
kernel, allow remote users to cause a denial of service(system crash) or
possibly execute arbitrary code.

Description
==========
[1]CVE-2019-14895:Heap Overflow in mwifiex_process_country_ie() function of
Marvell Wifi Driver in Linux kernel
The problem is inside mwifiex_process_country_ie() function in
drivers/net/wireless/marvell/mwifiex/sta_ioctl.c.
When STA connects to AP, mwifiex_process_country_ie function will be called
for STA. The function call link is:
mwifiex_cfg80211_connect()->mwifiex_cfg80211_assoc()->mwifiex_bss_start()->mwifiex_process_country_ie().
mwifiex_process_country_ie() function parse elements of bss descriptor in
beacon packet. When processing WLAN_EID_COUNTRY element, there is no upper
limit check for country_ie_len before calling memcpy,the dst buffer
domain_info->triplet is a array of length MWIFIEX_MAX_TRIPLET_802_11D(83).
The remote attacker can build a fake AP sending malicous beacon packet with
long WLAN_EID_COUNTRY element. When the victim STA connects to fake AP,will
trigger the heap buffer overflow.

[2]CVE-2019-14896: Heap Overflow in add_ie_rates() function of Marvell Wifi
Driver in Linux kernel
The problem is inside add_ie_rates function in
drivers/net/wireless/marvell/libertas/cfg.c.
When STA connects to AP, add_ie_rates function will be called for STA.The
function call link is:
lbs_cfg_connect()->lbs_associate()->lbs_add_common_rates_tlv()->add_ie_rates().
The lbs_associate() function parses the elements of cfg80211_bss in beacon
packet.  The elements in cfg80211_bss  will be copy to cmd->iebuf,
cmd->iebuf is a array of length 512.When processing WLAN_EID_SUPP_RATES or
WLAN_EID_EXT_SUPP_RATES element, add_ie_rates() will be called. In
add_ie_rates() function there is a write statement  in For loop(*tlv++ =
ie[ap];), the loop count ap_max is len of element  WLAN_EID_SUPP_RATES or
WLAN_EID_EXT_SUPP_RATES,but it is not checked before the For loop.
The remote attacker can build a fakeAP sending malicous beacon packet with
long WLAN_EID_SUPP_RATES and WLAN_EID_EXT_SUPP_RATES elements to make:
 sum( len(WLAN_EID_SUPP_RATES element) + len(WLAN_EID_EXT_SUPP_RATES
element) + len(other elements))>512
When the victim STA connects to fakeAP, will trigger the heap buffer
overflow.

[3]CVE-2019-14897 :Stack Overflow in lbs_ibss_join_existing() function of
Marvell Wifi Driver in Linux kernel
The problem is inside add_ie_rates function in
drivers/net/wireless/marvell/libertas/cfg.c.
When some STAs work in IBSS mode, they can connect to each other without
AP. lbs_ibss_join_existing will be called  when STA joins IBSS network. The
lbs_ibss_join_existing() function parses the elements in cfg80211_bss
struct. The function ieee80211_bss_get_ie()  is called to get
WLAN_EID_SUPP_RATES element. There is a write statement  in For
loop(*rates++ = rate;). But loop count rates_max is not checked before the
For loop ,the dst buffer rates is  a array of MAX_RATES(14).
The remote attacker can build a malicous IBSS sending beacon packet with
long WLAN_EID_SUPP_RATES(len>14). when victim STA connect malicous IBSS,
will trigger buffer overflow.


Patch
==========
https://patchwork.kernel.org/patch/11256477/
https://patchwork.kernel.org/patch/11257187/


Credit
==========
This issue was discovered by ADLab of Venustech

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.