oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Linux kernel: three heap overflow in the marvell wifi driver

From: huangwen <huangwenabc () gmail com>
Date: Wed, 28 Aug 2019 13:50:53 +0800
Hi,

There are three heap-based buffer overflows in marvell wifi chip driver in
Linux kernel, allow local users to cause a denial

of service(system crash) or possibly execute arbitrary code.The bugs can be
triggered by sending crafted  packet via netlink.


Description

==========

[1]CVE-2019-14814:Heap Overflow in mwifiex_set_uap_rates() function of
Marvell Wifi Driver in Linux kernel


The problem is inside mwifiex_set_uap_rates() in
drivers/net/wireless/marvell/mwifiex/uap_cmd.c.
There are two memcpy calls in this function to copy WLAN_EID_SUPP_RATES
element and WLAN_EID_EXT_SUPP_RATES element

without checking length. The dst buffer bss_cfg->rates is a array of length
MWIFIEX_SUPPORTED_RATES(14). The two elements in

cfg80211_ap_settings are from user space.



[2]CVE-2019-14815: Heap Overflow in mwifiex_set_wmm_params() function of
Marvell Wifi Driver in Linux kernel


The problem is inside mwifiex_set_wmm_params() in
drivers/net/wireless/marvell/mwifiex/uap_cmd.c.
mwifiex_set_wmm_params() calls memcpy to copy WLAN_OUI_MICROSOFT element to
bss_cfg->wmm_info without checking  length.

bss_cfg->wmm_info is struct mwifiex_types_wmm_info type with fixed len 24.



[3]CVE-2019-14816:Heap Overflow in mwifiex_update_vs_ie() function of
Marvell Wifi Driver in Linux kernel



The problem is inside mwifiex_update_vs_ie() in
drivers/net/wireless/marvell/mwifiex/ie.c.

mwifiex_set_mgmt_beacon_data_ies()  parses beacon IEs, probe response IEs,
association response IEs from cfg80211_ap_settings->beacon,

will call mwifiex_update_vs_ie() twice for each IEs if there exists IEs.
For beacon_ies as example, on the first call, mwifiex_update_vs_ie() alloc

memory ie and then copy WLAN_OUI_MICROSOFT element to ie->ie_buffer,
ie->ie_buffer
is a array of length IEEE_MAX_IE_SIZE(256); on the

Second call, mwifiex_update_vs_ie() copy WLAN_OUI_WFA elment to
previous allocated
ie->ie_buffer. If sum of  length of the two elements is

greater than IEEE_MAX_IE_SIZE, will cause buffer overflow.



Patch

=====

https://lore.kernel.org/linux-wireless/20190828020751.13625-1-huangwenabc () gmail com/



Credit

==========

This issue was discovered by huangwen of ADLab of Venustech
Previous By Date Next
Previous By Thread Next

Current thread: