'[oss-security] Linux kernel: three heap overflow in the marvell wifi driver'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Linux kernel: three heap overflow in the marvell wifi driver
From:       huangwen <huangwenabc () gmail ! com>
Date:       2019-08-28 5:50:53
Message-ID: CADt2dQe-nHwQSFHtbMzcB2C+XjcRMgkHqikf1tX+QtTEA-j5mQ () mail ! gmail ! com
[Download RAW message or body]


Hi,

There are three heap-based buffer overflows in marvell wifi chip driver in
Linux kernel, allow local users to cause a denial

of service(system crash) or possibly execute arbitrary code.The bugs can be
triggered by sending crafted  packet via netlink.


Description

==========

[1]CVE-2019-14814:Heap Overflow in mwifiex_set_uap_rates() function of
Marvell Wifi Driver in Linux kernel


The problem is inside mwifiex_set_uap_rates() in
drivers/net/wireless/marvell/mwifiex/uap_cmd.c.
There are two memcpy calls in this function to copy WLAN_EID_SUPP_RATES
element and WLAN_EID_EXT_SUPP_RATES element

without checking length. The dst buffer bss_cfg->rates is a array of length
MWIFIEX_SUPPORTED_RATES(14). The two elements in

cfg80211_ap_settings are from user space.



[2]CVE-2019-14815: Heap Overflow in mwifiex_set_wmm_params() function of
Marvell Wifi Driver in Linux kernel


The problem is inside mwifiex_set_wmm_params() in
drivers/net/wireless/marvell/mwifiex/uap_cmd.c.
mwifiex_set_wmm_params() calls memcpy to copy WLAN_OUI_MICROSOFT element to
bss_cfg->wmm_info without checking  length.

bss_cfg->wmm_info is struct mwifiex_types_wmm_info type with fixed len 24.



[3]CVE-2019-14816:Heap Overflow in mwifiex_update_vs_ie() function of
Marvell Wifi Driver in Linux kernel



The problem is inside mwifiex_update_vs_ie() in
drivers/net/wireless/marvell/mwifiex/ie.c.

mwifiex_set_mgmt_beacon_data_ies()  parses beacon IEs, probe response IEs,
association response IEs from cfg80211_ap_settings->beacon,

will call mwifiex_update_vs_ie() twice for each IEs if there exists IEs.
For beacon_ies as example, on the first call, mwifiex_update_vs_ie() alloc

memory ie and then copy WLAN_OUI_MICROSOFT element to ie->ie_buffer,
ie->ie_buffer
is a array of length IEEE_MAX_IE_SIZE(256); on the

Second call, mwifiex_update_vs_ie() copy WLAN_OUI_WFA elment to
previous allocated
ie->ie_buffer. If sum of  length of the two elements is

greater than IEEE_MAX_IE_SIZE, will cause buffer overflow.



Patch

=====

https://lore.kernel.org/linux-wireless/20190828020751.13625-1-huangwenabc@gmail.com/



Credit

==========

This issue was discovered by huangwen of ADLab of Venustech


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic