Re: Marvell Wifi Driver mwifiex_uap_parse_tail_ies Heap Overflow

[Solar Designer <solar () openwall com>]

On Sat, Jun 01, 2019 at 06:07:57PM +0800, huangwen wrote:
> There is heap-based buffer overflow in marvell wifi chip driver in Linux
> kernel,allows local users to cause a denial of service(system crash) or
> possibly execute arbitrary code.

> The problem is inside mwifiex_uap_parse_tail_ies function in
> drivers/net/wireless/marvell/mwifiex/ie.c. 
>
> There are two memcpy in this function.The memcpy in while loop will be
> called when element_id is not equal to WLAN_EID_SSID,WLAN_EID_SUPP_RATES
> etc.
>
> The copy dst buffer gen_ie->ie_buffer is a array with size
> IEEE_MAX_IE_SIZE(256), the src buffer is element in cfg80211_beacon_data
> from user space. 
>
> There is not len check for two memcpy in this function.
>
> If special elements are constructed (E.g.
> WLAN_EID_SUPPORTED_OPERATING_CLASSES) to make memcpy called repeatedly, will
> finally trigger the overflow.

This is now CVE-2019-10126.

> https://lore.kernel.org/linux-wireless/20190531131841.7552-1-tiwai () suse de

Alexander