oss-sec mailing list archives
Re: Marvell Wifi Driver mwifiex_uap_parse_tail_ies Heap Overflow
From: Solar Designer <solar () openwall com>
Date: Tue, 4 Jun 2019 16:37:21 +0200
On Sat, Jun 01, 2019 at 06:07:57PM +0800, huangwen wrote:
There is heap-based buffer overflow in marvell wifi chip driver in Linux kernel,allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.
The problem is inside mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c. There are two memcpy in this function.The memcpy in while loop will be called when element_id is not equal to WLAN_EID_SSID,WLAN_EID_SUPP_RATES etc. The copy dst buffer gen_ie->ie_buffer is a array with size IEEE_MAX_IE_SIZE(256), the src buffer is element in cfg80211_beacon_data from user space. There is not len check for two memcpy in this function. If special elements are constructed (E.g. WLAN_EID_SUPPORTED_OPERATING_CLASSES) to make memcpy called repeatedly, will finally trigger the overflow.
This is now CVE-2019-10126.
https://lore.kernel.org/linux-wireless/20190531131841.7552-1-tiwai () suse de
Alexander
Current thread:
- Marvell Wifi Driver mwifiex_uap_parse_tail_ies Heap Overflow huangwen (Jun 01)
- Re: Marvell Wifi Driver mwifiex_uap_parse_tail_ies Heap Overflow Solar Designer (Jun 04)