oss-security - Linux kernel: two buffer overflow in the marvell wifi driver

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Date: Fri, 8 May 2020 18:38:08 +0800
From: qing xu <m1s5p6688@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: two buffer overflow in the marvell wifi driver

Hi,
There are two buffer overflows in marvell wifi chip driver in Linux kernel
which cause a denial of service(system crash) or possibly execute arbitrary
code.

Description
==========
[1]CVE-2020-12653：The mwifiex_cmd_append_vsie_tlv() in
drivers/net/wireless/marvell/mwifiex/scan.c calls memcpy() without checking
the destination size may trigger a buffer overflower, which a local user
could use to cause denial of service or the execution of arbitrary code.

[2]CVE-2020-12654：mwifiex_ret_wmm_get_status() in
drivers/net/wireless/marvell/mwifiex/wmm.c calls memcpy() without checking
the destination size.Since the source is given from remote AP which
contains illegal wmm elements , this may trigger a heap buffer overflow.

Patch
==========
https://patchwork.kernel.org/patch/11315255/
https://patchwork.kernel.org/patch/11315253/

Credit
==========
This issue was discovered by ADLab of Venustech

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.