oss-sec mailing list archives
Linux kernel: three heap overflow in the marvell wifi driver
From: huangwen <huangwenabc () gmail com>
Date: Wed, 28 Aug 2019 13:50:53 +0800
Hi, There are three heap-based buffer overflows in marvell wifi chip driver in Linux kernel, allow local users to cause a denial of service(system crash) or possibly execute arbitrary code.The bugs can be triggered by sending crafted packet via netlink. Description ========== [1]CVE-2019-14814:Heap Overflow in mwifiex_set_uap_rates() function of Marvell Wifi Driver in Linux kernel The problem is inside mwifiex_set_uap_rates() in drivers/net/wireless/marvell/mwifiex/uap_cmd.c. There are two memcpy calls in this function to copy WLAN_EID_SUPP_RATES element and WLAN_EID_EXT_SUPP_RATES element without checking length. The dst buffer bss_cfg->rates is a array of length MWIFIEX_SUPPORTED_RATES(14). The two elements in cfg80211_ap_settings are from user space. [2]CVE-2019-14815: Heap Overflow in mwifiex_set_wmm_params() function of Marvell Wifi Driver in Linux kernel The problem is inside mwifiex_set_wmm_params() in drivers/net/wireless/marvell/mwifiex/uap_cmd.c. mwifiex_set_wmm_params() calls memcpy to copy WLAN_OUI_MICROSOFT element to bss_cfg->wmm_info without checking length. bss_cfg->wmm_info is struct mwifiex_types_wmm_info type with fixed len 24. [3]CVE-2019-14816:Heap Overflow in mwifiex_update_vs_ie() function of Marvell Wifi Driver in Linux kernel The problem is inside mwifiex_update_vs_ie() in drivers/net/wireless/marvell/mwifiex/ie.c. mwifiex_set_mgmt_beacon_data_ies() parses beacon IEs, probe response IEs, association response IEs from cfg80211_ap_settings->beacon, will call mwifiex_update_vs_ie() twice for each IEs if there exists IEs. For beacon_ies as example, on the first call, mwifiex_update_vs_ie() alloc memory ie and then copy WLAN_OUI_MICROSOFT element to ie->ie_buffer, ie->ie_buffer is a array of length IEEE_MAX_IE_SIZE(256); on the Second call, mwifiex_update_vs_ie() copy WLAN_OUI_WFA elment to previous allocated ie->ie_buffer. If sum of length of the two elements is greater than IEEE_MAX_IE_SIZE, will cause buffer overflow. Patch ===== https://lore.kernel.org/linux-wireless/20190828020751.13625-1-huangwenabc () gmail com/ Credit ========== This issue was discovered by huangwen of ADLab of Venustech
Current thread:
- Linux kernel: three heap overflow in the marvell wifi driver huangwen (Aug 28)