[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[oss-security] Linux kernel: three buffer overflow in the marvell wifi driver



Hi,
There are three buffer overflows in marvell wifi chip driver in Linux
kernel, allow remote users to cause a denial of service(system crash) or
possibly execute arbitrary code.

Description
==========
[1]CVE-2019-14895:Heap Overflow in mwifiex_process_country_ie() function of
Marvell Wifi Driver in Linux kernel
The problem is inside mwifiex_process_country_ie() function in
drivers/net/wireless/marvell/mwifiex/sta_ioctl.c.
When STA connects to AP, mwifiex_process_country_ie function will be called
for STA. The function call link is:
mwifiex_cfg80211_connect()->mwifiex_cfg80211_assoc()->mwifiex_bss_start()->mwifiex_process_country_ie().
mwifiex_process_country_ie() function parse elements of bss descriptor in
beacon packet. When processing WLAN_EID_COUNTRY element, there is no upper
limit check for country_ie_len before calling memcpy,the dst buffer
domain_info->triplet is a array of length MWIFIEX_MAX_TRIPLET_802_11D(83).
The remote attacker can build a fake AP sending malicous beacon packet with
long WLAN_EID_COUNTRY element. When the victim STA connects to fake AP,will
trigger the heap buffer overflow.

[2]CVE-2019-14896: Heap Overflow in add_ie_rates() function of Marvell Wifi
Driver in Linux kernel
The problem is inside add_ie_rates function in
drivers/net/wireless/marvell/libertas/cfg.c.
When STA connects to AP, add_ie_rates function will be called for STA.The
function call link is:
lbs_cfg_connect()->lbs_associate()->lbs_add_common_rates_tlv()->add_ie_rates().
The lbs_associate() function parses the elements of cfg80211_bss in beacon
packet.  The elements in cfg80211_bss  will be copy to cmd->iebuf,
cmd->iebuf is a array of length 512.When processing WLAN_EID_SUPP_RATES or
WLAN_EID_EXT_SUPP_RATES element, add_ie_rates() will be called. In
add_ie_rates() function there is a write statement  in For loop(*tlv++ =
ie[ap];), the loop count ap_max is len of element  WLAN_EID_SUPP_RATES or
WLAN_EID_EXT_SUPP_RATES,but it is not checked before the For loop.
The remote attacker can build a fakeAP sending malicous beacon packet with
long WLAN_EID_SUPP_RATES and WLAN_EID_EXT_SUPP_RATES elements to make:
 sum( len(WLAN_EID_SUPP_RATES element) + len(WLAN_EID_EXT_SUPP_RATES
element) + len(other elements))>512
When the victim STA connects to fakeAP, will trigger the heap buffer
overflow.

[3]CVE-2019-14897 :Stack Overflow in lbs_ibss_join_existing() function of
Marvell Wifi Driver in Linux kernel
The problem is inside add_ie_rates function in
drivers/net/wireless/marvell/libertas/cfg.c.
When some STAs work in IBSS mode, they can connect to each other without
AP. lbs_ibss_join_existing will be called  when STA joins IBSS network. The
lbs_ibss_join_existing() function parses the elements in cfg80211_bss
struct. The function ieee80211_bss_get_ie()  is called to get
WLAN_EID_SUPP_RATES element. There is a write statement  in For
loop(*rates++ = rate;). But loop count rates_max is not checked before the
For loop ,the dst buffer rates is  a array of MAX_RATES(14).
The remote attacker can build a malicous IBSS sending beacon packet with
long WLAN_EID_SUPP_RATES(len>14). when victim STA connect malicous IBSS,
will trigger buffer overflow.


Patch
==========
https://patchwork.kernel.org/patch/11256477/
https://patchwork.kernel.org/patch/11257187/


Credit
==========
This issue was discovered by ADLab of Venustech