NACK: [SRU][CVE-2020-36158][G/F/B/X][PATCH 0/1] mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start

William Breathitt Gray william.gray at canonical.com
Mon Feb 8 13:21:35 UTC 2021 

On Fri, Jan 29, 2021 at 08:38:08AM -0500, William Breathitt Gray wrote:
> SRU Justification
> =================
> 
> [Impact]
> 
> mwifiex_cmd_802_11_ad_hoc_start in
> drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through
> 5.10.4 might allow remote attackers to execute arbitrary code via a long
> SSID value, aka CID-5c455c5ab332.
> 
> [Fix]
> 
> mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking
> the destination size may trigger a buffer overflower,
> which a local user could use to cause denial of service
> or the execution of arbitrary code.
> Fix it by putting the length check before calling memcpy().
> 
> [Testing]
> 
> The marvell wifi driver could allow a local attacker to execute
> arbitrary code via a long SSID value. To test for this bug, attempt to
> start an ad-hoc network with an SSID value length greater than
> IEEE80211_MAX_SSID_LEN (32 bytes); this should subsequently overflow the
> buffer.
> 
> [Where problems could occur]
> 
> This fix only touches the mwifiex_cmd_802_11_ad_hoc_start() function. It
> restricts the maximum SSID value length. If a problem occurs, it will
> occur in the SSID length evaluation: users may not be able to input long
> SSID values.
> 
> [Miscellaneous]
> 
> Xenial is missing drivers/net/wireless/marvell/mwifiex/join.c; this was
> originally drivers/net/wireless/mwifiex/join.c. The backport for Xenial
> is a context adjustment to account for that rename.
> 
> Zhang Xiaohui (1):
>   mwifiex: Fix possible buffer overflows in
>     mwifiex_cmd_802_11_ad_hoc_start
> 
>  drivers/net/wireless/marvell/mwifiex/join.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> -- 
> 2.27.0

This fix has been pulled in already by upstream patchsets to
xenial,bionic,focal,groovy:linux/master-next.

Nacked-by: William Breathitt Gray <william.gray at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20210208/b11416c9/attachment.sig>

More information about the kernel-team mailing list