<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Marvell Wifi Driver mwifiex_uap_parse_tail_ies Heap Overflow
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Solar Designer <solar () openwall com>
Date: Tue, 4 Jun 2019 16:37:21 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Sat, Jun 01, 2019 at 06:07:57PM +0800, huangwen wrote:
There is heap-based buffer overflow in marvell wifi chip driver in Linux
kernel,allows local users to cause a denial of service(system crash) or
possibly execute arbitrary code.
The problem is inside mwifiex_uap_parse_tail_ies function in
drivers/net/wireless/marvell/mwifiex/ie.c.
There are two memcpy in this function.The memcpy in while loop will be
called when element_id is not equal to WLAN_EID_SSID,WLAN_EID_SUPP_RATES
etc.
The copy dst buffer gen_ie->ie_buffer is a array with size
IEEE_MAX_IE_SIZE(256), the src buffer is element in cfg80211_beacon_data
from user space.
There is not len check for two memcpy in this function.
If special elements are constructed (E.g.
WLAN_EID_SUPPORTED_OPERATING_CLASSES) to make memcpy called repeatedly, will
finally trigger the overflow.
This is now CVE-2019-10126.
https://lore.kernel.org/linux-wireless/20190531131841.7552-1-tiwai () suse de
Alexander
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Marvell Wifi Driver mwifiex_uap_parse_tail_ies Heap Overflow huangwen (Jun 01)
Re: Marvell Wifi Driver mwifiex_uap_parse_tail_ies Heap Overflow Solar Designer (Jun 04)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->