Headline
CVE-2019-14816: security - Linux kernel: three heap overflow in the marvell wifi driver
There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.
- Products
- Openwall GNU/*/Linux server OS
- Linux Kernel Runtime Guard
- John the Ripper password cracker
- Free & Open Source for any platform
- in the cloud
- Pro for Linux
- Pro for macOS
- Wordlists for password cracking
- passwdqc policy enforcement
- Free & Open Source for Unix
- Pro for Windows (Active Directory)
- yescrypt KDF & password hashing
- yespower Proof-of-Work (PoW)
- crypt_blowfish password hashing
- phpass ditto in PHP
- tcb better password shadowing
- Pluggable Authentication Modules
- scanlogd port scan detector
- popa3d tiny POP3 daemon
- blists web interface to mailing lists
- msulogin single user mode login
- php_mt_seed mt_rand() cracker
- Services
- Publications
- Articles
- Presentations
- Resources
- Mailing lists
- Community wiki
- Source code repositories (GitHub)
- Source code repositories (CVSweb)
- File archive & mirrors
- How to verify digital signatures
- OVE IDs
- What’s new
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 28 Aug 2019 13:50:53 +0800 From: huangwen <huangwenabc@…il.com> To: oss-security@…ts.openwall.com Subject: Linux kernel: three heap overflow in the marvell wifi driver
Hi,
There are three heap-based buffer overflows in marvell wifi chip driver in Linux kernel, allow local users to cause a denial
of service(system crash) or possibly execute arbitrary code.The bugs can be triggered by sending crafted packet via netlink.
Description
==========
[1]CVE-2019-14814:Heap Overflow in mwifiex_set_uap_rates() function of Marvell Wifi Driver in Linux kernel
The problem is inside mwifiex_set_uap_rates() in drivers/net/wireless/marvell/mwifiex/uap_cmd.c. There are two memcpy calls in this function to copy WLAN_EID_SUPP_RATES element and WLAN_EID_EXT_SUPP_RATES element
without checking length. The dst buffer bss_cfg->rates is a array of length MWIFIEX_SUPPORTED_RATES(14). The two elements in
cfg80211_ap_settings are from user space.
[2]CVE-2019-14815: Heap Overflow in mwifiex_set_wmm_params() function of Marvell Wifi Driver in Linux kernel
The problem is inside mwifiex_set_wmm_params() in drivers/net/wireless/marvell/mwifiex/uap_cmd.c. mwifiex_set_wmm_params() calls memcpy to copy WLAN_OUI_MICROSOFT element to bss_cfg->wmm_info without checking length.
bss_cfg->wmm_info is struct mwifiex_types_wmm_info type with fixed len 24.
[3]CVE-2019-14816:Heap Overflow in mwifiex_update_vs_ie() function of Marvell Wifi Driver in Linux kernel
The problem is inside mwifiex_update_vs_ie() in drivers/net/wireless/marvell/mwifiex/ie.c.
mwifiex_set_mgmt_beacon_data_ies() parses beacon IEs, probe response IEs, association response IEs from cfg80211_ap_settings->beacon,
will call mwifiex_update_vs_ie() twice for each IEs if there exists IEs. For beacon_ies as example, on the first call, mwifiex_update_vs_ie() alloc
memory ie and then copy WLAN_OUI_MICROSOFT element to ie->ie_buffer, ie->ie_buffer is a array of length IEEE_MAX_IE_SIZE(256); on the
Second call, mwifiex_update_vs_ie() copy WLAN_OUI_WFA elment to previous allocated ie->ie_buffer. If sum of length of the two elements is
greater than IEEE_MAX_IE_SIZE, will cause buffer overflow.
Patch
=====
https://lore.kernel.org/linux-wireless/[email protected]/
Credit
==========
This issue was discovered by huangwen of ADLab of Venustech
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.
Related news
Container-native virtualization release 2.3.0 is now available with updates to packages and images that fix several bugs and add enhancements.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-1701: virt-handler: virt-handler daemonset clusterroles allows retrieval of secrets * CVE-2020-1742: nmstate/kubernetes-nmstate-handler: /etc/passwd is given incorrect privileges
Container-native virtualization release 2.3.0 is now available with updates to packages and images that fix several bugs and add enhancements.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-1701: virt-handler: virt-handler daemonset clusterroles allows retrieval of secrets * CVE-2020-1742: nmstate/kubernetes-nmstate-handler: /etc/passwd is given incorrect privileges
Container-native virtualization release 2.3.0 is now available with updates to packages and images that fix several bugs and add enhancements.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-1701: virt-handler: virt-handler daemonset clusterroles allows retrieval of secrets * CVE-2020-1742: nmstate/kubernetes-nmstate-handler: /etc/passwd is given incorrect privileges
An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2015-9289: A vulnerability was found in the Linux kernel’s CX24116 tv-card driver, where an out of bounds read occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. An attacker could use this flaw to leak kernel private information to userspace. * CVE-2017-17807: The KEYS subsystem in the Linux kernel omitted an access-control check ...
An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2015-9289: A vulnerability was found in the Linux kernel’s CX24116 tv-card driver, where an out of bounds read occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. An attacker could use this flaw to leak kernel private information to userspace. * CVE-2017-17807: The KEYS subsystem in the Linux kernel omitted an access-control check ...
A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params() function of Marvell Wifi Driver.
There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.