Bug 1590799 (CVE-2018-5848)

Summary: CVE-2018-5848 kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption
Product: [Other] Security Response Reporter: Vladis Dronov <vdronov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: airlied, bskeggs, ewk, hdegoede, ichavero, itamar, jarodwilson, jforbes, jglisse, john.j5live, jonathan, josef, jwboyer, kernel-maint, labbott, linville, mchehab, mjg59, steved
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20171202,reported=20180502,source=upstream,cvss3=5.3/CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H,cwe=CWE-120,rhel-5/kernel=notaffected,rhel-6/kernel=notaffected,rhel-7/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=notaffected,rhel-alt-7/kernel-alt=affected,rhel-8/kernel=notaffected,fedora-all/kernel=notaffected
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
In the function wmi_set_ie() in the Linux kernel the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the ‘ie_len’ argument can cause a buffer overflow and thus a memory corruption leading to a system crash or other or unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:28:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1740304, 1740305, 1590841, 1590842, 1590843, 1591237, 1740306    
Bug Blocks: 1590623    

Description Vladis Dronov 2018-06-13 12:20:42 UTC
In the function wmi_set_ie() in the Linux kernel the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the ‘ie_len’ argument can cause a buffer overflow and thus a memory corruption leading to a system crash or other or unspecified impact.

References:

https://www.codeaurora.org/security-bulletin/2018/05/11/may-2018-code-aurora-security-bulletin-2#_CVE-2018-5848

https://marc.info/?l=linux-wireless&m=151066597529493&w=2

An upstream fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b5a8ffcae4103a9d823ea3aa3a761f65779fbe2a

Comment 5 errata-xmlrpc 2018-10-30 07:34:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3083 https://access.redhat.com/errata/RHSA-2018:3083

Comment 6 errata-xmlrpc 2018-10-30 07:40:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3096 https://access.redhat.com/errata/RHSA-2018:3096

Comment 7 errata-xmlrpc 2018-10-30 09:02:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948