From: Kalle Valo <kvalo@codeaurora.org>
To: max chee <maxchee@outlook.com>
Cc: "linux-wireless\@vger.kernel.org"
<linux-wireless@vger.kernel.org>,
"amitkarwar\@gmail.com" <amitkarwar@gmail.com>,
"ganapathi017\@gmail.com" <ganapathi017@gmail.com>,
"sharvari.harisangam\@nxp.com" <sharvari.harisangam@nxp.com>,
"huxinming820\@gmail.com" <huxinming820@gmail.com>,
"davem\@davemloft.net" <davem@davemloft.net>,
"kuba\@kernel.org" <kuba@kernel.org>
Subject: Re: Heap based overflow in Marvell Wifi mwifiex_cfg80211_start_ap function
Date: Mon, 29 Nov 2021 10:48:05 +0200 [thread overview]
Message-ID: <87czmjgxfe.fsf@codeaurora.org> (raw)
In-Reply-To: <SI2PR06MB4060AE27017D9205ADBC7140A3659@SI2PR06MB4060.apcprd06.prod.outlook.com> (max chee's message of "Sun, 28 Nov 2021 19:28:19 +0000")
max chee <maxchee@outlook.com> writes:
> I found a possible heap-based overflow through code review in marvell wifi chip driver in Linux
> Kernel, allowing local users to cause a denial of service or possibly execute arbitrary code. Similar
> to CVE-2019-14814, I think that the bug can be triggered by sending crafted packet via netlink.
>
> I believe this belongs to the Linux Wireless mailing list
> (https://patchwork.kernel.org/project/linux-wireless/)
Please don't send HTML emails, our mailing lists drop them. I found this
from my spam folder just by accident.
> Description
>
>
>
> ==========
>
>
>
> [1]Heap Overflow in mwifiex_cfg80211_start_ap() function of Marvell Wifi Driver in Linux kernel
>
>
>
>
>
> The problem is inside mwifiex_cfg80211_start_ap() in
> drivers/net/wireless/marvell/mwifiex/cfg80211.c
>
>
>
> There is a memcpy calls in this function to copy params->ssid without checking length. This
> would result in a heap overflow because params->ssid_len is from cfg80211_ap_settings which is
> from user space.
>
>
>
>
>
> Recommended Patch in drivers/net/wireless/marvell/mwifiex/cfg80211.c
>
>
>
> =====
>
>
>
> + if (ssid_len > IEEE80211_MAX_SSID_LEN) {
>
> + mwifiex_dbg(priv->adapter, ERROR, "invalid SSID - aborting\n");
>
> + return -EINVAL;
>
> + }
>
> if (params->ssid && params->ssid_len) {
>
> memcpy(bss_cfg->ssid.ssid, params->ssid, params->ssid_len);
>
> bss_cfg->ssid.ssid_len = params->ssid_len;
>
>
>
>
>
>
>
> Credit
>
>
>
> ==========
>
>
>
> This issue was discovered by Max Chee
Are you saying that cfg80211 does not check the SSID length from user
space? I would be very surprised about that.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
next parent reply other threads:[~2021-11-29 8:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <SI2PR06MB4060AE27017D9205ADBC7140A3659@SI2PR06MB4060.apcprd06.prod.outlook.com>
2021-11-29 8:48 ` Kalle Valo [this message]
[not found] <SI2PR06MB40600A3DBE2D37C6C484D4A5A3659@SI2PR06MB4060.apcprd06.prod.outlook.com>
[not found] ` <SI2PR06MB406009BA8EA40388A439FA3DA3659@SI2PR06MB4060.apcprd06.prod.outlook.com>
2021-11-29 7:16 ` Heap based overflow in Marvell Wifi mwifiex_cfg80211_start_ap function Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87czmjgxfe.fsf@codeaurora.org \
--to=kvalo@codeaurora.org \
--cc=amitkarwar@gmail.com \
--cc=davem@davemloft.net \
--cc=ganapathi017@gmail.com \
--cc=huxinming820@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=maxchee@outlook.com \
--cc=sharvari.harisangam@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).