Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <000f01d516d6$af59d490$0e0d7db0$@com.cn>
Date: Thu, 30 May 2019 18:58:59 +0800
From: "huangwen" <huangwen@...ustech.com.cn>
To: <oss-security@...ts.openwall.com>
Subject: CVE-2019-3846:Marvell Wifi Driver mwifiex mwifiex_update_bss_desc_with_ie Heap Overflow

Hi,

There is a heap overflow in marvell wifi driver in Linux kernel allows
remote attackers to cause a denial of service(system crash) or possibly
execute arbitrary code.

 

Description

==========

The problem is inside mwifiex_update_bss_desc_with_ie function in
drivers/net/wireless/marvell/mwifiex/scan.c. 

When STA connects to AP, mwifiex_update_bss_desc_with_ie function will be
called to update bss descriptor.In mwifiex_update_bss_desc_with_ie function,
the IEs of beacon packet is parsed. When processing WLAN_EID_SUPP_RATES
element,it does not check the length of rates data before calling memcpy,the
dst buffer bss_entry->data_rates is a array with size
MWIFIEX_SUPPORTED_RATES(14). 

Remote attacker can build a fakeAP sending malicous beacon packet with long
WLAN_EID_SUPP_RATES element(element_len>14),when victim STA connects to the
fakeAP, will trigger the heap buffer overflow.

 

int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,

                                       struct mwifiex_bssdescriptor
*bss_entry)

{

.....

         /* Process variable IE */

         while (bytes_left >= 2) {

                  element_id = *current_ptr;

                  element_len = *(current_ptr + 1);

                  total_ie_len = element_len + sizeof(struct
ieee_types_header);

 

                  if (bytes_left < total_ie_len) {

                          mwifiex_dbg(adapter, ERROR,

                                       "err: InterpretIE: in processing\t"

                                       "IE, bytes left < IE length\n");

                          return -1;

                  }

                  switch (element_id) {

                  case WLAN_EID_SSID:

                          bss_entry->ssid.ssid_len = element_len;

                          memcpy(bss_entry->ssid.ssid, (current_ptr + 2),   

                                 element_len);

                          mwifiex_dbg(adapter, INFO,

                                       "info: InterpretIE: ssid: %-32s\n",

                                       bss_entry->ssid.ssid);

                          break;

 

                  case WLAN_EID_SUPP_RATES:

                          memcpy(bss_entry->data_rates, current_ptr + 2,
//overflow!!!!!!!!!!!

                                 element_len);

                          memcpy(bss_entry->supported_rates, current_ptr +
2,

                                 element_len);

                          rate_size = element_len;

                          found_data_rate_ie = true;

                          break;

 

                  case WLAN_EID_FH_PARAMS:

                          fh_param_set =

                                   (struct ieee_types_fh_param_set *)
current_ptr;

                          memcpy(&bss_entry->phy_param_set.fh_param_set,

                                 fh_param_set,

                                 sizeof(struct ieee_types_fh_param_set)); 

                          break;

                  ......

         }

}

 

 

Credit

==========

This issue was discovered by huangwen of ADLab of Venustech

 

 

Patch

=====

https://lore.kernel.org/linux-wireless/20190529125220.17066-1-tiwai@suse.de/

https://lore.kernel.org/linux-wireless/20190529125220.17066-2-tiwai@suse.de/

https://lore.kernel.org/linux-wireless/20190529125220.17066-3-tiwai@suse.de/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.