oss-sec mailing list archives
Linux kernel: three buffer overflow in the marvell wifi driver
From: huangwen <huangwenabc () gmail com>
Date: Fri, 22 Nov 2019 13:38:01 +0800
Hi, There are three buffer overflows in marvell wifi chip driver in Linux kernel, allow remote users to cause a denial of service(system crash) or possibly execute arbitrary code. Description ========== [1]CVE-2019-14895:Heap Overflow in mwifiex_process_country_ie() function of Marvell Wifi Driver in Linux kernel The problem is inside mwifiex_process_country_ie() function in drivers/net/wireless/marvell/mwifiex/sta_ioctl.c. When STA connects to AP, mwifiex_process_country_ie function will be called for STA. The function call link is: mwifiex_cfg80211_connect()->mwifiex_cfg80211_assoc()->mwifiex_bss_start()->mwifiex_process_country_ie(). mwifiex_process_country_ie() function parse elements of bss descriptor in beacon packet. When processing WLAN_EID_COUNTRY element, there is no upper limit check for country_ie_len before calling memcpy,the dst buffer domain_info->triplet is a array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote attacker can build a fake AP sending malicous beacon packet with long WLAN_EID_COUNTRY element. When the victim STA connects to fake AP,will trigger the heap buffer overflow. [2]CVE-2019-14896: Heap Overflow in add_ie_rates() function of Marvell Wifi Driver in Linux kernel The problem is inside add_ie_rates function in drivers/net/wireless/marvell/libertas/cfg.c. When STA connects to AP, add_ie_rates function will be called for STA.The function call link is: lbs_cfg_connect()->lbs_associate()->lbs_add_common_rates_tlv()->add_ie_rates(). The lbs_associate() function parses the elements of cfg80211_bss in beacon packet. The elements in cfg80211_bss will be copy to cmd->iebuf, cmd->iebuf is a array of length 512.When processing WLAN_EID_SUPP_RATES or WLAN_EID_EXT_SUPP_RATES element, add_ie_rates() will be called. In add_ie_rates() function there is a write statement in For loop(*tlv++ = ie[ap];), the loop count ap_max is len of element WLAN_EID_SUPP_RATES or WLAN_EID_EXT_SUPP_RATES,but it is not checked before the For loop. The remote attacker can build a fakeAP sending malicous beacon packet with long WLAN_EID_SUPP_RATES and WLAN_EID_EXT_SUPP_RATES elements to make: sum( len(WLAN_EID_SUPP_RATES element) + len(WLAN_EID_EXT_SUPP_RATES element) + len(other elements))>512 When the victim STA connects to fakeAP, will trigger the heap buffer overflow. [3]CVE-2019-14897 :Stack Overflow in lbs_ibss_join_existing() function of Marvell Wifi Driver in Linux kernel The problem is inside add_ie_rates function in drivers/net/wireless/marvell/libertas/cfg.c. When some STAs work in IBSS mode, they can connect to each other without AP. lbs_ibss_join_existing will be called when STA joins IBSS network. The lbs_ibss_join_existing() function parses the elements in cfg80211_bss struct. The function ieee80211_bss_get_ie() is called to get WLAN_EID_SUPP_RATES element. There is a write statement in For loop(*rates++ = rate;). But loop count rates_max is not checked before the For loop ,the dst buffer rates is a array of MAX_RATES(14). The remote attacker can build a malicous IBSS sending beacon packet with long WLAN_EID_SUPP_RATES(len>14). when victim STA connect malicous IBSS, will trigger buffer overflow. Patch ========== https://patchwork.kernel.org/patch/11256477/ https://patchwork.kernel.org/patch/11257187/ Credit ========== This issue was discovered by ADLab of Venustech
Current thread:
- Linux kernel: three buffer overflow in the marvell wifi driver huangwen (Nov 22)