[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] =?gb2312?B?Q1ZFLTIwMTktMzg0NqO6TWFydmVsbCBXaWZpIERyaXZlciBtd2lmaQ==?= =?gb2312?B?ZXgg
From: "huangwen" <huangwen () venustech ! com ! cn>
Date: 2019-05-30 10:58:59
Message-ID: 000f01d516d6$af59d490$0e0d7db0$ () com ! cn
[Download RAW message or body]
Hi,
There is a heap overflow in marvell wifi driver in Linux kernel allows
remote attackers to cause a denial of service(system crash) or possibly
execute arbitrary code.
Description
==========
The problem is inside mwifiex_update_bss_desc_with_ie function in
drivers/net/wireless/marvell/mwifiex/scan.c.
When STA connects to AP, mwifiex_update_bss_desc_with_ie function will be
called to update bss descriptor.In mwifiex_update_bss_desc_with_ie function,
the IEs of beacon packet is parsed. When processing WLAN_EID_SUPP_RATES
element,it does not check the length of rates data before calling memcpy,the
dst buffer bss_entry->data_rates is a array with size
MWIFIEX_SUPPORTED_RATES(14).
Remote attacker can build a fakeAP sending malicous beacon packet with long
WLAN_EID_SUPP_RATES element(element_len>14)£¬when victim STA connects to the
fakeAP, will trigger the heap buffer overflow.
int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
struct mwifiex_bssdescriptor
*bss_entry)
{
.....
/* Process variable IE */
while (bytes_left >= 2) {
element_id = *current_ptr;
element_len = *(current_ptr + 1);
total_ie_len = element_len + sizeof(struct
ieee_types_header);
if (bytes_left < total_ie_len) {
mwifiex_dbg(adapter, ERROR,
"err: InterpretIE: in processing\t"
"IE, bytes left < IE length\n");
return -1;
}
switch (element_id) {
case WLAN_EID_SSID:
bss_entry->ssid.ssid_len = element_len;
memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
element_len);
mwifiex_dbg(adapter, INFO,
"info: InterpretIE: ssid: %-32s\n",
bss_entry->ssid.ssid);
break;
case WLAN_EID_SUPP_RATES:
memcpy(bss_entry->data_rates, current_ptr + 2,
//overflow!!!!!!!!!!!
element_len);
memcpy(bss_entry->supported_rates, current_ptr +
2,
element_len);
rate_size = element_len;
found_data_rate_ie = true;
break;
case WLAN_EID_FH_PARAMS:
fh_param_set =
(struct ieee_types_fh_param_set *)
current_ptr;
memcpy(&bss_entry->phy_param_set.fh_param_set,
fh_param_set,
sizeof(struct ieee_types_fh_param_set));
break;
......
}
}
Credit
==========
This issue was discovered by huangwen of ADLab of Venustech
Patch
=====
https://lore.kernel.org/linux-wireless/20190529125220.17066-1-tiwai@suse.de/
https://lore.kernel.org/linux-wireless/20190529125220.17066-2-tiwai@suse.de/
https://lore.kernel.org/linux-wireless/20190529125220.17066-3-tiwai@suse.de/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic