lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20230712175711.1431adec@kernel.org>
Date:   Wed, 12 Jul 2023 17:57:11 -0700
From:   Jakub Kicinski <kuba@...nel.org>
To:     pinkperfect <pinkperfect2021@...il.com>
Cc:     amitkarwar@...il.com, ganapathi017@...il.com,
        huxinming820@...il.com, kvalo@...nel.org,
        linux-kernel@...r.kernel.org, linux-wireless@...r.kernel.org,
        sharvari.harisangam@....com
Subject: Re: [PATCH v2] wifi: mwifiex: Fix OOB and integer underflow in
 mwifiex_process_mgmt_packet

On Mon, 10 Jul 2023 15:01:30 +0000 pinkperfect wrote:
> Hi, this vulnerability has been reported to and discussed with chromeos teams,
> the detail analysis, see comments in below code:
> mwifiex_process_sta_rx_packet makes sure rx_pkt_offset + rx_pkt_length <= skb->len
> In mwifiex_process_mgmt_packet:
> 
>         rx_pd = (struct rxpd *)skb->data;
> 
>         // skb->len -= rx_pkt_offset, skb->len == rx_pkt_length
>         skb_pull(skb, le16_to_cpu(rx_pd->rx_pkt_offset));
>         // skb->len == rx_pkt_length - 2, if set rx_pkt_length == 4, skb->len == 2
>         skb_pull(skb, sizeof(pkt_len));
> 
>         pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);
> 
>         //skip..
> 
>         // now skb->len == 2, skb->data + 24 is oob from skb buffer
>         // skb->data + 30 is oob from skb buffer
>         // pkt_len == 4, so underflow
>         memmove(skb->data + sizeof(struct ieee80211_hdr_3addr),
>                 skb->data + sizeof(struct ieee80211_hdr),
>                 pkt_len - sizeof(struct ieee80211_hdr));
> 
> On MT8173 chromebook, the arm64 memmove.S / memcpy.S code logical
> cause memove(dst, src, -x) a possible exploitable oob write vulnerability
> not only a unexploitable crash

Oh, didn't see the v2, please address the comments I just sent to v1.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ