oss-sec mailing list archives
Linux kernel: two buffer overflow in the marvell wifi driver
From: qing xu <m1s5p6688 () gmail com>
Date: Fri, 8 May 2020 18:38:08 +0800
Hi, There are two buffer overflows in marvell wifi chip driver in Linux kernel which cause a denial of service(system crash) or possibly execute arbitrary code. Description ========== [1]CVE-2020-12653:The mwifiex_cmd_append_vsie_tlv() in drivers/net/wireless/marvell/mwifiex/scan.c calls memcpy() without checking the destination size may trigger a buffer overflower, which a local user could use to cause denial of service or the execution of arbitrary code. [2]CVE-2020-12654:mwifiex_ret_wmm_get_status() in drivers/net/wireless/marvell/mwifiex/wmm.c calls memcpy() without checking the destination size.Since the source is given from remote AP which contains illegal wmm elements , this may trigger a heap buffer overflow. Patch ========== https://patchwork.kernel.org/patch/11315255/ https://patchwork.kernel.org/patch/11315253/ Credit ========== This issue was discovered by ADLab of Venustech
Current thread:
- Linux kernel: two buffer overflow in the marvell wifi driver qing xu (May 08)