Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CADt2dQe-nHwQSFHtbMzcB2C+XjcRMgkHqikf1tX+QtTEA-j5mQ@mail.gmail.com>
Date: Wed, 28 Aug 2019 13:50:53 +0800
From: huangwen <huangwenabc@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: three heap overflow in the marvell wifi driver

Hi,

There are three heap-based buffer overflows in marvell wifi chip driver in
Linux kernel, allow local users to cause a denial

of service(system crash) or possibly execute arbitrary code.The bugs can be
triggered by sending crafted  packet via netlink.


Description

==========

[1]CVE-2019-14814:Heap Overflow in mwifiex_set_uap_rates() function of
Marvell Wifi Driver in Linux kernel


The problem is inside mwifiex_set_uap_rates() in
drivers/net/wireless/marvell/mwifiex/uap_cmd.c.
There are two memcpy calls in this function to copy WLAN_EID_SUPP_RATES
element and WLAN_EID_EXT_SUPP_RATES element

without checking length. The dst buffer bss_cfg->rates is a array of length
MWIFIEX_SUPPORTED_RATES(14). The two elements in

cfg80211_ap_settings are from user space.



[2]CVE-2019-14815: Heap Overflow in mwifiex_set_wmm_params() function of
Marvell Wifi Driver in Linux kernel


The problem is inside mwifiex_set_wmm_params() in
drivers/net/wireless/marvell/mwifiex/uap_cmd.c.
mwifiex_set_wmm_params() calls memcpy to copy WLAN_OUI_MICROSOFT element to
bss_cfg->wmm_info without checking  length.

bss_cfg->wmm_info is struct mwifiex_types_wmm_info type with fixed len 24.



[3]CVE-2019-14816:Heap Overflow in mwifiex_update_vs_ie() function of
Marvell Wifi Driver in Linux kernel



The problem is inside mwifiex_update_vs_ie() in
drivers/net/wireless/marvell/mwifiex/ie.c.

mwifiex_set_mgmt_beacon_data_ies()  parses beacon IEs, probe response IEs,
association response IEs from cfg80211_ap_settings->beacon,

will call mwifiex_update_vs_ie() twice for each IEs if there exists IEs.
For beacon_ies as example, on the first call, mwifiex_update_vs_ie() alloc

memory ie and then copy WLAN_OUI_MICROSOFT element to ie->ie_buffer,
ie->ie_buffer
is a array of length IEEE_MAX_IE_SIZE(256); on the

Second call, mwifiex_update_vs_ie() copy WLAN_OUI_WFA elment to
previous allocated
ie->ie_buffer. If sum of  length of the two elements is

greater than IEEE_MAX_IE_SIZE, will cause buffer overflow.



Patch

=====

https://lore.kernel.org/linux-wireless/20190828020751.13625-1-huangwenabc@gmail.com/



Credit

==========

This issue was discovered by huangwen of ADLab of Venustech

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.