[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] =?gb2312?B?Q1ZFLTIwMTktMzg0NqO6TWFydmVsbCBXaWZpIERyaXZlciBtd2lmaQ==?= =?gb2312?B?ZXgg
From:       "huangwen" <huangwen () venustech ! com ! cn>
Date:       2019-05-30 10:58:59
Message-ID: 000f01d516d6$af59d490$0e0d7db0$ () com ! cn
[Download RAW message or body]


Hi,

There is a heap overflow in marvell wifi driver in Linux kernel allows
remote attackers to cause a denial of service(system crash) or possibly
execute arbitrary code.

 

Description

==========

The problem is inside mwifiex_update_bss_desc_with_ie function in
drivers/net/wireless/marvell/mwifiex/scan.c. 

When STA connects to AP, mwifiex_update_bss_desc_with_ie function will be
called to update bss descriptor.In mwifiex_update_bss_desc_with_ie function,
the IEs of beacon packet is parsed. When processing WLAN_EID_SUPP_RATES
element,it does not check the length of rates data before calling memcpy,the
dst buffer bss_entry->data_rates is a array with size
MWIFIEX_SUPPORTED_RATES(14). 

Remote attacker can build a fakeAP sending malicous beacon packet with long
WLAN_EID_SUPP_RATES element(element_len>14)£¬when victim STA connects to the
fakeAP, will trigger the heap buffer overflow.

 

int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,

                                       struct mwifiex_bssdescriptor
*bss_entry)

{

.....

         /* Process variable IE */

         while (bytes_left >= 2) {

                  element_id = *current_ptr;

                  element_len = *(current_ptr + 1);

                  total_ie_len = element_len + sizeof(struct
ieee_types_header);

 

                  if (bytes_left < total_ie_len) {

                          mwifiex_dbg(adapter, ERROR,

                                       "err: InterpretIE: in processing\t"

                                       "IE, bytes left < IE length\n");

                          return -1;

                  }

                  switch (element_id) {

                  case WLAN_EID_SSID:

                          bss_entry->ssid.ssid_len = element_len;

                          memcpy(bss_entry->ssid.ssid, (current_ptr + 2),   

                                 element_len);

                          mwifiex_dbg(adapter, INFO,

                                       "info: InterpretIE: ssid: %-32s\n",

                                       bss_entry->ssid.ssid);

                          break;

 

                  case WLAN_EID_SUPP_RATES:

                          memcpy(bss_entry->data_rates, current_ptr + 2,
//overflow!!!!!!!!!!!

                                 element_len);

                          memcpy(bss_entry->supported_rates, current_ptr +
2,

                                 element_len);

                          rate_size = element_len;

                          found_data_rate_ie = true;

                          break;

 

                  case WLAN_EID_FH_PARAMS:

                          fh_param_set =

                                   (struct ieee_types_fh_param_set *)
current_ptr;

                          memcpy(&bss_entry->phy_param_set.fh_param_set,

                                 fh_param_set,

                                 sizeof(struct ieee_types_fh_param_set)); 

                          break;

                  ......

         }

}

 

 

Credit

==========

This issue was discovered by huangwen of ADLab of Venustech

 

 

Patch

=====

https://lore.kernel.org/linux-wireless/20190529125220.17066-1-tiwai@suse.de/

https://lore.kernel.org/linux-wireless/20190529125220.17066-2-tiwai@suse.de/

https://lore.kernel.org/linux-wireless/20190529125220.17066-3-tiwai@suse.de/

 

 

 

 

 



[prev in list] [next in list] [prev in thread] [next in thread]