[SRU][CVE-2020-36158][G/F/B/X][PATCH 0/1] mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start

[William Breathitt Gray]

SRU Justification
=================

[Impact]

mwifiex_cmd_802_11_ad_hoc_start in
drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through
5.10.4 might allow remote attackers to execute arbitrary code via a long
SSID value, aka CID-5c455c5ab332.

[Fix]

mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().

[Testing]

The marvell wifi driver could allow a local attacker to execute
arbitrary code via a long SSID value. To test for this bug, attempt to
start an ad-hoc network with an SSID value length greater than
IEEE80211_MAX_SSID_LEN (32 bytes); this should subsequently overflow the
buffer.

[Where problems could occur]

This fix only touches the mwifiex_cmd_802_11_ad_hoc_start() function. It
restricts the maximum SSID value length. If a problem occurs, it will
occur in the SSID length evaluation: users may not be able to input long
SSID values.

[Miscellaneous]

Xenial is missing drivers/net/wireless/marvell/mwifiex/join.c; this was
originally drivers/net/wireless/mwifiex/join.c. The backport for Xenial
is a context adjustment to account for that rename.

Zhang Xiaohui (1):
  mwifiex: Fix possible buffer overflows in
    mwifiex_cmd_802_11_ad_hoc_start

 drivers/net/wireless/marvell/mwifiex/join.c | 2 ++
 1 file changed, 2 insertions(+)

-- 
2.27.0