Linux-Wireless Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
@ 2019-08-28  2:07 huangwenabc
  2019-08-28  3:01 ` [EXT] " Ganapathi Bhat
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: huangwenabc @ 2019-08-28  2:07 UTC (permalink / raw)
  To: linux-wireless
  Cc: amitkarwar, nishants, gbhat, huxinming820, solar, greg, kvalo,
	sashal, mrehak

From: Wen Huang <huangwenabc@gmail.com>

mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and 
mwifiex_set_wmm_params() call memcpy() without checking
the destination size.Since the source is given from 
user-space, this may trigger a heap buffer overflow.

Fix them by putting the length check before performing memcpy().

This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816.

Signed-off-by: Wen Huang <huangwenabc@gmail.com>
---
 drivers/net/wireless/marvell/mwifiex/ie.c      | 3 +++
 drivers/net/wireless/marvell/mwifiex/uap_cmd.c | 9 ++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/marvell/mwifiex/ie.c b/drivers/net/wireless/marvell/mwifiex/ie.c
index 653d347a9..580387f9f 100644
--- a/drivers/net/wireless/marvell/mwifiex/ie.c
+++ b/drivers/net/wireless/marvell/mwifiex/ie.c
@@ -241,6 +241,9 @@ static int mwifiex_update_vs_ie(const u8 *ies, int ies_len,
 		}
 
 		vs_ie = (struct ieee_types_header *)vendor_ie;
+		if (le16_to_cpu(ie->ie_length) + vs_ie->len + 2 >
+			IEEE_MAX_IE_SIZE)
+			return -EINVAL;
 		memcpy(ie->ie_buffer + le16_to_cpu(ie->ie_length),
 		       vs_ie, vs_ie->len + 2);
 		le16_unaligned_add_cpu(&ie->ie_length, vs_ie->len + 2);
diff --git a/drivers/net/wireless/marvell/mwifiex/uap_cmd.c b/drivers/net/wireless/marvell/mwifiex/uap_cmd.c
index 18f7d9bf3..0939a8c8f 100644
--- a/drivers/net/wireless/marvell/mwifiex/uap_cmd.c
+++ b/drivers/net/wireless/marvell/mwifiex/uap_cmd.c
@@ -265,6 +265,8 @@ mwifiex_set_uap_rates(struct mwifiex_uap_bss_param *bss_cfg,
 
 	rate_ie = (void *)cfg80211_find_ie(WLAN_EID_SUPP_RATES, var_pos, len);
 	if (rate_ie) {
+		if (rate_ie->len > MWIFIEX_SUPPORTED_RATES)
+			return;
 		memcpy(bss_cfg->rates, rate_ie + 1, rate_ie->len);
 		rate_len = rate_ie->len;
 	}
@@ -272,8 +274,11 @@ mwifiex_set_uap_rates(struct mwifiex_uap_bss_param *bss_cfg,
 	rate_ie = (void *)cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES,
 					   params->beacon.tail,
 					   params->beacon.tail_len);
-	if (rate_ie)
+	if (rate_ie) {
+		if (rate_ie->len > MWIFIEX_SUPPORTED_RATES - rate_len)
+			return;
 		memcpy(bss_cfg->rates + rate_len, rate_ie + 1, rate_ie->len);
+	}
 
 	return;
 }
@@ -391,6 +396,8 @@ mwifiex_set_wmm_params(struct mwifiex_private *priv,
 					    params->beacon.tail_len);
 	if (vendor_ie) {
 		wmm_ie = vendor_ie;
+		if (*(wmm_ie + 1) > sizeof(struct mwifiex_types_wmm_info))
+			return;
 		memcpy(&bss_cfg->wmm_info, wmm_ie +
 		       sizeof(struct ieee_types_header), *(wmm_ie + 1));
 		priv->wmm_enabled = 1;
-- 
2.17.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: [EXT] [PATCH] mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
  2019-08-28  2:07 [PATCH] mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings huangwenabc
@ 2019-08-28  3:01 ` Ganapathi Bhat
  2019-08-28 20:36 ` Johannes Berg
  2019-09-03 13:50 ` Kalle Valo
  2 siblings, 0 replies; 5+ messages in thread
From: Ganapathi Bhat @ 2019-08-28  3:01 UTC (permalink / raw)
  To: huangwenabc, linux-wireless
  Cc: amitkarwar, nishants, huxinming820, solar, greg, kvalo, sashal, mrehak

Hi Wen Huang,

> mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and
> mwifiex_set_wmm_params() call memcpy() without checking the destination
> size.Since the source is given from user-space, this may trigger a heap buffer
> overflow.
> 
> Fix them by putting the length check before performing memcpy().
> 
> This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816.

Thanks for the fix, this change looks good;

Acked-by: Ganapathi Bhat <gbhat@marvell.comg>

Regards,
Ganapathi

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
  2019-08-28  2:07 [PATCH] mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings huangwenabc
  2019-08-28  3:01 ` [EXT] " Ganapathi Bhat
@ 2019-08-28 20:36 ` Johannes Berg
  2019-08-28 20:37   ` Johannes Berg
  2019-09-03 13:50 ` Kalle Valo
  2 siblings, 1 reply; 5+ messages in thread
From: Johannes Berg @ 2019-08-28 20:36 UTC (permalink / raw)
  To: huangwenabc, linux-wireless
  Cc: amitkarwar, nishants, gbhat, huxinming820, solar, greg, kvalo,
	sashal, mrehak

First of all, the subject doesn't make a lot of sense?


Secondly, for a fix the code is fine I guess, but:

>  	rate_ie = (void *)cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES,
>  					   params->beacon.tail,
>  					   params->beacon.tail_len);

consider removing struct ieee_types_header from your driver, and using
struct element from <linux/ieee80211.h> instead.

This also comes with cfg80211_find_elem() that returns a suitably typed
pointer, so you don't need any casts.

>  	if (vendor_ie) {
>  		wmm_ie = vendor_ie;
> +		if (*(wmm_ie + 1) > sizeof(struct mwifiex_types_wmm_info))
> +			return;

and using it here would be a whole lot easier to understand too :)

johannes


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
  2019-08-28 20:36 ` Johannes Berg
@ 2019-08-28 20:37   ` Johannes Berg
  0 siblings, 0 replies; 5+ messages in thread
From: Johannes Berg @ 2019-08-28 20:37 UTC (permalink / raw)
  To: huangwenabc, linux-wireless
  Cc: amitkarwar, nishants, gbhat, huxinming820, solar, greg, kvalo,
	sashal, mrehak

On Wed, 2019-08-28 at 22:36 +0200, Johannes Berg wrote:
> First of all, the subject doesn't make a lot of sense?

Ah, the whole thing is called under that function I guess, never mind

johannes


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
  2019-08-28  2:07 [PATCH] mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings huangwenabc
  2019-08-28  3:01 ` [EXT] " Ganapathi Bhat
  2019-08-28 20:36 ` Johannes Berg
@ 2019-09-03 13:50 ` Kalle Valo
  2 siblings, 0 replies; 5+ messages in thread
From: Kalle Valo @ 2019-09-03 13:50 UTC (permalink / raw)
  To: huangwenabc
  Cc: linux-wireless, amitkarwar, nishants, gbhat, huxinming820, solar,
	greg, sashal, mrehak

huangwenabc@gmail.com wrote:

> From: Wen Huang <huangwenabc@gmail.com>
> 
> mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and 
> mwifiex_set_wmm_params() call memcpy() without checking
> the destination size.Since the source is given from 
> user-space, this may trigger a heap buffer overflow.
> 
> Fix them by putting the length check before performing memcpy().
> 
> This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816.
> 
> Signed-off-by: Wen Huang <huangwenabc@gmail.com>
> Acked-by: Ganapathi Bhat <gbhat@marvell.comg>

Patch applied to wireless-drivers.git, thanks.

7caac62ed598 mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings

-- 
https://patchwork.kernel.org/patch/11117681/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-28  2:07 [PATCH] mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings huangwenabc
2019-08-28  3:01 ` [EXT] " Ganapathi Bhat
2019-08-28 20:36 ` Johannes Berg
2019-08-28 20:37   ` Johannes Berg
2019-09-03 13:50 ` Kalle Valo

Linux-Wireless Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-wireless/0 linux-wireless/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-wireless linux-wireless/ https://lore.kernel.org/linux-wireless \
		linux-wireless@vger.kernel.org
	public-inbox-index linux-wireless

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-wireless


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git