Date: Fri, 22 Nov 2019 13:38:01 +0800 From: huangwen <huangwenabc@...il.com> To: oss-security@...ts.openwall.com Subject: Linux kernel: three buffer overflow in the marvell wifi driver Hi, There are three buffer overflows in marvell wifi chip driver in Linux kernel, allow remote users to cause a denial of service(system crash) or possibly execute arbitrary code. Description ========== CVE-2019-14895:Heap Overflow in mwifiex_process_country_ie() function of Marvell Wifi Driver in Linux kernel The problem is inside mwifiex_process_country_ie() function in drivers/net/wireless/marvell/mwifiex/sta_ioctl.c. When STA connects to AP, mwifiex_process_country_ie function will be called for STA. The function call link is: mwifiex_cfg80211_connect()->mwifiex_cfg80211_assoc()->mwifiex_bss_start()->mwifiex_process_country_ie(). mwifiex_process_country_ie() function parse elements of bss descriptor in beacon packet. When processing WLAN_EID_COUNTRY element, there is no upper limit check for country_ie_len before calling memcpy,the dst buffer domain_info->triplet is a array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote attacker can build a fake AP sending malicous beacon packet with long WLAN_EID_COUNTRY element. When the victim STA connects to fake AP,will trigger the heap buffer overflow. CVE-2019-14896: Heap Overflow in add_ie_rates() function of Marvell Wifi Driver in Linux kernel The problem is inside add_ie_rates function in drivers/net/wireless/marvell/libertas/cfg.c. When STA connects to AP, add_ie_rates function will be called for STA.The function call link is: lbs_cfg_connect()->lbs_associate()->lbs_add_common_rates_tlv()->add_ie_rates(). The lbs_associate() function parses the elements of cfg80211_bss in beacon packet. The elements in cfg80211_bss will be copy to cmd->iebuf, cmd->iebuf is a array of length 512.When processing WLAN_EID_SUPP_RATES or WLAN_EID_EXT_SUPP_RATES element, add_ie_rates() will be called. In add_ie_rates() function there is a write statement in For loop(*tlv++ = ie[ap];), the loop count ap_max is len of element WLAN_EID_SUPP_RATES or WLAN_EID_EXT_SUPP_RATES,but it is not checked before the For loop. The remote attacker can build a fakeAP sending malicous beacon packet with long WLAN_EID_SUPP_RATES and WLAN_EID_EXT_SUPP_RATES elements to make: sum( len(WLAN_EID_SUPP_RATES element) + len(WLAN_EID_EXT_SUPP_RATES element) + len(other elements))>512 When the victim STA connects to fakeAP, will trigger the heap buffer overflow. CVE-2019-14897 :Stack Overflow in lbs_ibss_join_existing() function of Marvell Wifi Driver in Linux kernel The problem is inside add_ie_rates function in drivers/net/wireless/marvell/libertas/cfg.c. When some STAs work in IBSS mode, they can connect to each other without AP. lbs_ibss_join_existing will be called when STA joins IBSS network. The lbs_ibss_join_existing() function parses the elements in cfg80211_bss struct. The function ieee80211_bss_get_ie() is called to get WLAN_EID_SUPP_RATES element. There is a write statement in For loop(*rates++ = rate;). But loop count rates_max is not checked before the For loop ,the dst buffer rates is a array of MAX_RATES(14). The remote attacker can build a malicous IBSS sending beacon packet with long WLAN_EID_SUPP_RATES(len>14). when victim STA connect malicous IBSS, will trigger buffer overflow. Patch ========== https://patchwork.kernel.org/patch/11256477/ https://patchwork.kernel.org/patch/11257187/ Credit ========== This issue was discovered by ADLab of Venustech
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.