[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Linux kernel: three heap overflow in the marvell wifi driver
From: huangwen <huangwenabc () gmail ! com>
Date: 2019-08-28 5:50:53
Message-ID: CADt2dQe-nHwQSFHtbMzcB2C+XjcRMgkHqikf1tX+QtTEA-j5mQ () mail ! gmail ! com
[Download RAW message or body]
Hi,
There are three heap-based buffer overflows in marvell wifi chip driver in
Linux kernel, allow local users to cause a denial
of service(system crash) or possibly execute arbitrary code.The bugs can be
triggered by sending crafted packet via netlink.
Description
==========
[1]CVE-2019-14814:Heap Overflow in mwifiex_set_uap_rates() function of
Marvell Wifi Driver in Linux kernel
The problem is inside mwifiex_set_uap_rates() in
drivers/net/wireless/marvell/mwifiex/uap_cmd.c.
There are two memcpy calls in this function to copy WLAN_EID_SUPP_RATES
element and WLAN_EID_EXT_SUPP_RATES element
without checking length. The dst buffer bss_cfg->rates is a array of length
MWIFIEX_SUPPORTED_RATES(14). The two elements in
cfg80211_ap_settings are from user space.
[2]CVE-2019-14815: Heap Overflow in mwifiex_set_wmm_params() function of
Marvell Wifi Driver in Linux kernel
The problem is inside mwifiex_set_wmm_params() in
drivers/net/wireless/marvell/mwifiex/uap_cmd.c.
mwifiex_set_wmm_params() calls memcpy to copy WLAN_OUI_MICROSOFT element to
bss_cfg->wmm_info without checking length.
bss_cfg->wmm_info is struct mwifiex_types_wmm_info type with fixed len 24.
[3]CVE-2019-14816:Heap Overflow in mwifiex_update_vs_ie() function of
Marvell Wifi Driver in Linux kernel
The problem is inside mwifiex_update_vs_ie() in
drivers/net/wireless/marvell/mwifiex/ie.c.
mwifiex_set_mgmt_beacon_data_ies() parses beacon IEs, probe response IEs,
association response IEs from cfg80211_ap_settings->beacon,
will call mwifiex_update_vs_ie() twice for each IEs if there exists IEs.
For beacon_ies as example, on the first call, mwifiex_update_vs_ie() alloc
memory ie and then copy WLAN_OUI_MICROSOFT element to ie->ie_buffer,
ie->ie_buffer
is a array of length IEEE_MAX_IE_SIZE(256); on the
Second call, mwifiex_update_vs_ie() copy WLAN_OUI_WFA elment to
previous allocated
ie->ie_buffer. If sum of length of the two elements is
greater than IEEE_MAX_IE_SIZE, will cause buffer overflow.
Patch
=====
https://lore.kernel.org/linux-wireless/20190828020751.13625-1-huangwenabc@gmail.com/
Credit
==========
This issue was discovered by huangwen of ADLab of Venustech
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic