Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-47518: [PATCH 4/4] wifi: wilc1000: validate number of channels

An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames.

CVE
#linux#git#buffer_overflow#auth#wifi

From: Phil Turnbull [email protected] To: [email protected] Cc: [email protected], [email protected], [email protected], Phil Turnbull [email protected] Subject: [PATCH 4/4] wifi: wilc1000: validate number of channels Date: Wed, 23 Nov 2022 10:35:43 -0500 [thread overview] Message-ID: [email protected] (raw) In-Reply-To: <[email protected]>

There is no validation of ‘e->no_of_channels’ which can trigger an out-of-bounds write in the following ‘memset’ call. Validate that the number of channels does not extends beyond the size of the channel list element.

Signed-off-by: Phil Turnbull [email protected] Tested-by: Ajay Kathat [email protected] Acked-by: Ajay Kathat [email protected]


…/wireless/microchip/wilc1000/cfg80211.c | 22 +++++++++++++±---- 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c index c4d5a272ccc0…b545d93c6e37 100644 — a/drivers/net/wireless/microchip/wilc1000/cfg80211.c +++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c @@ -981,19 +981,29 @@ static inline void wilc_wfi_cfg_parse_ch_attr(u8 *buf, u32 len, u8 sta_ch) }

if (ch\_list\_idx) {

- u16 attr_size;

  •   struct wilc\_ch\_list\_elem \*e;
    
  •   int i;
    
  •   u16 elem\_size;
    
      ch\_list = (struct wilc\_attr\_ch\_list \*)&buf\[ch\_list\_idx\];
    

- attr_size = le16_to_cpu(ch_list->attr_len);

  •   for (i = 0; i < attr\_size;) {
    
  •   /\* the number of bytes following the final 'elem' member \*/
    
  •   elem\_size = le16\_to\_cpu(ch\_list->attr\_len) -
    
  •       (sizeof(\*ch\_list) - sizeof(struct wilc\_attr\_entry));
    
  •   for (unsigned int i = 0; i < elem\_size;) {
    
  •       struct wilc\_ch\_list\_elem \*e;
    
  •       e = (struct wilc\_ch\_list\_elem \*)(ch\_list->elem + i);
    
  •       i += sizeof(\*e);
    
  •       if (i > elem\_size)
    
  •           break;
    
  •       i += e->no\_of\_channels;
    
  •       if (i > elem\_size)
    
  •           break;
    
  •       if (e->op\_class == WILC\_WLAN\_OPERATING\_CLASS\_2\_4GHZ) {
              memset(e->ch\_list, sta\_ch, e->no\_of\_channels);
              break;
          }
    

- i += e->no_of_channels; } }

– 2.34.1

 prev parent reply  other threads:\[~2022-11-23 15:36 UTC|newest\]

Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-11-23 15:35 [PATCH 0/4] wilc1000: Improve RSN and attribute parsing Phil Turnbull 2022-11-23 15:35 ` [PATCH 1/4] wifi: wilc1000: validate pairwise and authentication suite offsets Phil Turnbull 2022-11-24 16:11 ` Kalle Valo 2022-11-23 15:35 ` [PATCH 2/4] wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_OPER_CHANNEL attribute Phil Turnbull 2022-11-23 15:35 ` [PATCH 3/4] wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST attribute Phil Turnbull 2022-11-23 15:35 ` Phil Turnbull [this message]

Reply instructions:

You may reply publicly to this message via plain-text email using any one of the following methods:

* Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox

Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the –to, –cc, and –in-reply-to switches of git-send-email(1):

git send-email \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ /path/to/YOUR_REPLY

https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.

Related news

Ubuntu Security Notice USN-5962-1

Ubuntu Security Notice 5962-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-5950-1

Ubuntu Security Notice 5950-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-5941-1

Ubuntu Security Notice 5941-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

CVE-2023-22436: en/security-disclosure/2023/2023-02.md · OpenHarmony/security - Gitee.com

The kernel subsystem function check_permission_for_set_tokenid within OpenHarmony-v3.1.5 and prior versions has an UAF vulnerability which local attackers can exploit this vulnerability to escalate the privilege to root.

Ubuntu Security Notice USN-5938-1

Ubuntu Security Notice 5938-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-5935-1

Ubuntu Security Notice 5935-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-5929-1

Ubuntu Security Notice 5929-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-5911-1

Ubuntu Security Notice 5911-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-5912-1

Ubuntu Security Notice 5912-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907