| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20230710150130.2449934-1-pinkperfect2021@gmail.com>
Date: Mon, 10 Jul 2023 15:01:30 +0000
From: pinkperfect <pinkperfect2021@...il.com>
To: pinkperfect2021@...il.com
Cc: amitkarwar@...il.com, ganapathi017@...il.com,
huxinming820@...il.com, kvalo@...nel.org,
linux-kernel@...r.kernel.org, linux-wireless@...r.kernel.org,
sharvari.harisangam@....com
Subject: Re: [PATCH v2] wifi: mwifiex: Fix OOB and integer underflow in mwifiex_process_mgmt_packet
Hi, this vulnerability has been reported to and discussed with chromeos teams,
the detail analysis, see comments in below code:
mwifiex_process_sta_rx_packet makes sure rx_pkt_offset + rx_pkt_length <= skb->len
In mwifiex_process_mgmt_packet:
rx_pd = (struct rxpd *)skb->data;
// skb->len -= rx_pkt_offset, skb->len == rx_pkt_length
skb_pull(skb, le16_to_cpu(rx_pd->rx_pkt_offset));
// skb->len == rx_pkt_length - 2, if set rx_pkt_length == 4, skb->len == 2
skb_pull(skb, sizeof(pkt_len));
pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);
//skip..
// now skb->len == 2, skb->data + 24 is oob from skb buffer
// skb->data + 30 is oob from skb buffer
// pkt_len == 4, so underflow
memmove(skb->data + sizeof(struct ieee80211_hdr_3addr),
skb->data + sizeof(struct ieee80211_hdr),
pkt_len - sizeof(struct ieee80211_hdr));
On MT8173 chromebook, the arm64 memmove.S / memcpy.S code logical
cause memove(dst, src, -x) a possible exploitable oob write vulnerability
not only a unexploitable crash
Powered by blists - more mailing lists