oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Linux kernel: heap overflow in the marvell wifi driver

From: qize wang <wangqize888888888 () gmail com>
Date: Fri, 22 Nov 2019 20:51:31 +0800
Hi,
There are some heap overflows in marvell wifi chip driver in Linux
kernel, allow remote users to cause a denial of service(system crash) or
possibly execute arbitrary code.

Description
==========

some flaws were found in the Linux kernel's Marvell wifi chip driver. 
multi heap overflow in mwifiex_process_tdls_action_frame function in 
marvell/mwifiex/tdls.c which allows remote attackers to cause a denial 
of service(system crash) or execute arbitrary code.

the station receive a tdls setup request or respone frame which IE 's 
length is larger than the heap buffer assigned (for example : the 
EID_SUPP_RATES IE's length > 255) will cause heap overflow。


struct mwifiex_tdls_capab {
        __le16 capab;
        u8 rates[32];
        u8 rates_len;
        u8 qos_info;
        u8 coex_2040;
        u16 aid;
        struct ieee80211_ht_cap ht_capb;
        struct ieee80211_ht_operation ht_oper;
        struct ieee_types_extcap extcap;
        struct ieee_types_generic rsn_ie;
        struct ieee80211_vht_cap vhtcap;
        struct ieee80211_vht_operation vhtoper;
};

int mwifiex_process_rx_packet -> mwifiex_process_tdls_action_frame
(struct mwifiex_private *priv,
                                       u8 *buf, int len)
{
.... 
case WLAN_EID_SUPP_RATES:
                        sta_ptr->tdls_cap.rates_len = pos[1];   ;attacker can control 
                                                                ;EID_SUPP_RATES IE 's length
                        for (i = 0; i < pos[1]; i++)
                                sta_ptr->tdls_cap.rates[i] = pos[i + 2];
                        break;
…
case WLAN_EID_EXT_SUPP_RATES:
                        basic = sta_ptr->tdls_cap.rates_len;
                        for (i = 0; i < pos[1]; i++)                                            ;attacker can control 
                                                                                                        ;EID_SUPP_RATES 
IE 's length
                                sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2];    
                        sta_ptr->tdls_cap.rates_len += pos[1];  
                        break;
…
case WLAN_EID_EXT_CAPABILITY:
                        memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
                               sizeof(struct ieee_types_header) +
                               min_t(u8, pos[1], 8));       ;extcap is tlv struct, 
                                                                        ;memcpy will cause a fata 
                                                                        ;len(p[1]) into extcap
                        break;
case WLAN_EID_RSN:
                        memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
                               sizeof(struct ieee_types_header) +
                               min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
                                     sizeof(struct ieee_types_header)); rsn_ie is tlv struct ,
                                                                                          ;memcpy will cause a fata 
                                                                                          ;len(p[1]) into rsn_ie

}

Patch
==========
https://patchwork.kernel.org/patch/11257535/

Credit
==========
This issue was discovered by wangqize(ADLab of VenusTech),huawen(ADLab of VenusTech)
Previous By Date Next
Previous By Thread Next

Current thread: