oss-sec mailing list archives
Linux kernel: heap overflow in the marvell wifi driver
From: qize wang <wangqize888888888 () gmail com>
Date: Fri, 22 Nov 2019 20:51:31 +0800
Hi, There are some heap overflows in marvell wifi chip driver in Linux kernel, allow remote users to cause a denial of service(system crash) or possibly execute arbitrary code. Description ========== some flaws were found in the Linux kernel's Marvell wifi chip driver. multi heap overflow in mwifiex_process_tdls_action_frame function in marvell/mwifiex/tdls.c which allows remote attackers to cause a denial of service(system crash) or execute arbitrary code. the station receive a tdls setup request or respone frame which IE 's length is larger than the heap buffer assigned (for example : the EID_SUPP_RATES IE's length > 255) will cause heap overflow。 struct mwifiex_tdls_capab { __le16 capab; u8 rates[32]; u8 rates_len; u8 qos_info; u8 coex_2040; u16 aid; struct ieee80211_ht_cap ht_capb; struct ieee80211_ht_operation ht_oper; struct ieee_types_extcap extcap; struct ieee_types_generic rsn_ie; struct ieee80211_vht_cap vhtcap; struct ieee80211_vht_operation vhtoper; }; int mwifiex_process_rx_packet -> mwifiex_process_tdls_action_frame (struct mwifiex_private *priv, u8 *buf, int len) { .... case WLAN_EID_SUPP_RATES: sta_ptr->tdls_cap.rates_len = pos[1]; ;attacker can control ;EID_SUPP_RATES IE 's length for (i = 0; i < pos[1]; i++) sta_ptr->tdls_cap.rates[i] = pos[i + 2]; break; … case WLAN_EID_EXT_SUPP_RATES: basic = sta_ptr->tdls_cap.rates_len; for (i = 0; i < pos[1]; i++) ;attacker can control ;EID_SUPP_RATES IE 's length sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2]; sta_ptr->tdls_cap.rates_len += pos[1]; break; … case WLAN_EID_EXT_CAPABILITY: memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos, sizeof(struct ieee_types_header) + min_t(u8, pos[1], 8)); ;extcap is tlv struct, ;memcpy will cause a fata ;len(p[1]) into extcap break; case WLAN_EID_RSN: memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos, sizeof(struct ieee_types_header) + min_t(u8, pos[1], IEEE_MAX_IE_SIZE - sizeof(struct ieee_types_header)); rsn_ie is tlv struct , ;memcpy will cause a fata ;len(p[1]) into rsn_ie } Patch ========== https://patchwork.kernel.org/patch/11257535/ Credit ========== This issue was discovered by wangqize(ADLab of VenusTech),huawen(ADLab of VenusTech)
Current thread:
- Linux kernel: heap overflow in the marvell wifi driver qize wang (Nov 22)
- Re: Linux kernel: heap overflow in the marvell wifi driver Solar Designer (Nov 25)