Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20190604143721.GA18436@openwall.com>
Date: Tue, 4 Jun 2019 16:37:21 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: huangwen <huangwen@...usgroup.com.cn>
Subject: Re: Marvell Wifi Driver mwifiex_uap_parse_tail_ies Heap Overflow

On Sat, Jun 01, 2019 at 06:07:57PM +0800, huangwen wrote:
> There is heap-based buffer overflow in marvell wifi chip driver in Linux
> kernel,allows local users to cause a denial of service(system crash) or
> possibly execute arbitrary code.

> The problem is inside mwifiex_uap_parse_tail_ies function in
> drivers/net/wireless/marvell/mwifiex/ie.c. 
> 
> There are two memcpy in this function.The memcpy in while loop will be
> called when element_id is not equal to WLAN_EID_SSID,WLAN_EID_SUPP_RATES
> etc.
> 
> The copy dst buffer gen_ie->ie_buffer is a array with size
> IEEE_MAX_IE_SIZE(256), the src buffer is element in cfg80211_beacon_data
> from user space. 
> 
> There is not len check for two memcpy in this function.
> 
> If special elements are constructed (E.g.
> WLAN_EID_SUPPORTED_OPERATING_CLASSES) to make memcpy called repeatedly, will
> finally trigger the overflow.

This is now CVE-2019-10126.

> https://lore.kernel.org/linux-wireless/20190531131841.7552-1-tiwai@suse.de

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.