Date: Fri, 8 May 2020 18:38:08 +0800 From: qing xu <m1s5p6688@...il.com> To: oss-security@...ts.openwall.com Subject: Linux kernel: two buffer overflow in the marvell wifi driver Hi, There are two buffer overflows in marvell wifi chip driver in Linux kernel which cause a denial of service(system crash) or possibly execute arbitrary code. Description ========== CVE-2020-12653：The mwifiex_cmd_append_vsie_tlv() in drivers/net/wireless/marvell/mwifiex/scan.c calls memcpy() without checking the destination size may trigger a buffer overflower, which a local user could use to cause denial of service or the execution of arbitrary code. CVE-2020-12654：mwifiex_ret_wmm_get_status() in drivers/net/wireless/marvell/mwifiex/wmm.c calls memcpy() without checking the destination size.Since the source is given from remote AP which contains illegal wmm elements , this may trigger a heap buffer overflow. Patch ========== https://patchwork.kernel.org/patch/11315255/ https://patchwork.kernel.org/patch/11315253/ Credit ========== This issue was discovered by ADLab of Venustech
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.