oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Linux kernel: two buffer overflow in the marvell wifi driver

From: qing xu <m1s5p6688 () gmail com>
Date: Fri, 8 May 2020 18:38:08 +0800
Hi,
There are two buffer overflows in marvell wifi chip driver in Linux kernel
which cause a denial of service(system crash) or possibly execute arbitrary
code.

Description
==========
[1]CVE-2020-12653:The mwifiex_cmd_append_vsie_tlv() in
drivers/net/wireless/marvell/mwifiex/scan.c calls memcpy() without checking
the destination size may trigger a buffer overflower, which a local user
could use to cause denial of service or the execution of arbitrary code.

[2]CVE-2020-12654:mwifiex_ret_wmm_get_status() in
drivers/net/wireless/marvell/mwifiex/wmm.c calls memcpy() without checking
the destination size.Since the source is given from remote AP which
contains illegal wmm elements , this may trigger a heap buffer overflow.

Patch
==========
https://patchwork.kernel.org/patch/11315255/
https://patchwork.kernel.org/patch/11315253/

Credit
==========
This issue was discovered by ADLab of Venustech
Previous By Date Next
Previous By Thread Next

Current thread: