* Re: Heap based overflow in Marvell Wifi mwifiex_cfg80211_start_ap function
[not found] <SI2PR06MB4060AE27017D9205ADBC7140A3659@SI2PR06MB4060.apcprd06.prod.outlook.com>
@ 2021-11-29 8:48 ` Kalle Valo
0 siblings, 0 replies; 2+ messages in thread
From: Kalle Valo @ 2021-11-29 8:48 UTC (permalink / raw)
To: max chee
Cc: linux-wireless, amitkarwar, ganapathi017, sharvari.harisangam,
huxinming820, davem, kuba
max chee <maxchee@outlook.com> writes:
> I found a possible heap-based overflow through code review in marvell wifi chip driver in Linux
> Kernel, allowing local users to cause a denial of service or possibly execute arbitrary code. Similar
> to CVE-2019-14814, I think that the bug can be triggered by sending crafted packet via netlink.
>
> I believe this belongs to the Linux Wireless mailing list
> (https://patchwork.kernel.org/project/linux-wireless/)
Please don't send HTML emails, our mailing lists drop them. I found this
from my spam folder just by accident.
> Description
>
>
>
> ==========
>
>
>
> [1]Heap Overflow in mwifiex_cfg80211_start_ap() function of Marvell Wifi Driver in Linux kernel
>
>
>
>
>
> The problem is inside mwifiex_cfg80211_start_ap() in
> drivers/net/wireless/marvell/mwifiex/cfg80211.c
>
>
>
> There is a memcpy calls in this function to copy params->ssid without checking length. This
> would result in a heap overflow because params->ssid_len is from cfg80211_ap_settings which is
> from user space.
>
>
>
>
>
> Recommended Patch in drivers/net/wireless/marvell/mwifiex/cfg80211.c
>
>
>
> =====
>
>
>
> + if (ssid_len > IEEE80211_MAX_SSID_LEN) {
>
> + mwifiex_dbg(priv->adapter, ERROR, "invalid SSID - aborting\n");
>
> + return -EINVAL;
>
> + }
>
> if (params->ssid && params->ssid_len) {
>
> memcpy(bss_cfg->ssid.ssid, params->ssid, params->ssid_len);
>
> bss_cfg->ssid.ssid_len = params->ssid_len;
>
>
>
>
>
>
>
> Credit
>
>
>
> ==========
>
>
>
> This issue was discovered by Max Chee
Are you saying that cfg80211 does not check the SSID length from user
space? I would be very surprised about that.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Heap based overflow in Marvell Wifi mwifiex_cfg80211_start_ap function
[not found] ` <SI2PR06MB406009BA8EA40388A439FA3DA3659@SI2PR06MB4060.apcprd06.prod.outlook.com>
@ 2021-11-29 7:16 ` Dan Carpenter
0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2021-11-29 7:16 UTC (permalink / raw)
To: max chee; +Cc: security, linux-wireless
This is a false positive. The nla stuff has checking which is pretty
tricky for static analysis to handle. Here is how that attribute is
defined.
net/wireless/nl80211.c
544 [NL80211_ATTR_SSID] = { .type = NLA_BINARY,
545 .len = IEEE80211_MAX_SSID_LEN },
When the NL80211_ATTR_SSID attr is parsed it's capped at
0-IEEE80211_MAX_SSID_LEN because of this.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-11-29 8:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <SI2PR06MB4060AE27017D9205ADBC7140A3659@SI2PR06MB4060.apcprd06.prod.outlook.com>
2021-11-29 8:48 ` Heap based overflow in Marvell Wifi mwifiex_cfg80211_start_ap function Kalle Valo
[not found] <SI2PR06MB40600A3DBE2D37C6C484D4A5A3659@SI2PR06MB4060.apcprd06.prod.outlook.com>
[not found] ` <SI2PR06MB406009BA8EA40388A439FA3DA3659@SI2PR06MB4060.apcprd06.prod.outlook.com>
2021-11-29 7:16 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).