Headline
CVE-2019-16746: '[PATCH 1/2] nl80211: validate beacon head'
An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.
[prev in list] [next in list] [prev in thread] [next in thread] List: linux-wireless Subject: [PATCH 1/2] nl80211: validate beacon head From: Johannes Berg <johannes () sipsolutions ! net> Date: 2019-09-20 19:54:17 Message-ID: 1569009255-I7ac7fbe9436e9d8733439eab8acbbd35e55c74ef () changeid [Download RAW message or body]
From: Johannes Berg [email protected]
We currently don’t validate the beacon head, i.e. the header, fixed part and elements that are to go in front of the TIM element. This means that the variable elements there can be malformed, e.g. have a length exceeding the buffer size, but most downstream code from this assumes that this has already been checked.
Add the necessary checks to the netlink policy.
Cc: [email protected] Fixes: ed1b6cc7f80f (“cfg80211/nl80211: add beacon settings”) Signed-off-by: Johannes Berg [email protected]
net/wireless/nl80211.c | 37 ++++++++++++++++++++++++++++++++++±- 1 file changed, 35 insertions(+), 2 deletions(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index fd05ae1437a9…932854a0c38b 100644 — a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -201,6 +201,38 @@ cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info) return __cfg80211_rdev_from_attrs(netns, info->attrs); }
+static int validate_beacon_head(const struct nlattr *attr,
struct netlink\_ext\_ack \*extack)
+{
- const u8 *data = nla_data(attr);
- unsigned int len = nla_len(attr);
- const struct element *elem;
- const struct ieee80211_mgmt *mgmt = (void *)data;
- unsigned int fixedlen = offsetof(struct ieee80211_mgmt,
u.beacon.variable);- if (len < fixedlen)
goto err;- if (ieee80211_hdrlen(mgmt->frame_control) !=
offsetof(struct ieee80211\_mgmt, u.beacon))goto err;- data += fixedlen;
- len -= fixedlen;
- for_each_element(elem, data, len) {
/\* nothing \*/- }
- if (for_each_element_completed(elem, data, len))
return 0;
+err:
- NL_SET_ERR_MSG_ATTR(extack, attr, “malformed beacon head”);
- return -EINVAL; +}
static int validate_ie_attr(const struct nlattr *attr, struct netlink_ext_ack *extack) { @@ -322,8 +354,9 @@ const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
\[NL80211\_ATTR\_BEACON\_INTERVAL\] = { .type = NLA\_U32 },
\[NL80211\_ATTR\_DTIM\_PERIOD\] = { .type = NLA\_U32 },
- [NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
.len = IEEE80211\_MAX\_DATA\_LEN },
- [NL80211_ATTR_BEACON_HEAD] =
NLA\_POLICY\_VALIDATE\_FN(NLA\_BINARY, validate\_beacon\_head,
[NL80211_ATTR_BEACON_TAIL] = NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr, IEEE80211_MAX_DATA_LEN), – 2.20.1IEEE80211\_MAX\_DATA\_LEN),
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic
Related news
Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CV...
An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2015-9289: A vulnerability was found in the Linux kernel’s CX24116 tv-card driver, where an out of bounds read occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. An attacker could use this flaw to leak kernel private information to userspace. * CVE-2017-17807: The KEYS subsystem in the Linux kernel omitted an access-control check ...