Bug 1744149 (CVE-2019-14816)

Summary: CVE-2019-14816 kernel: heap overflow in mwifiex_update_vs_ie() function of Marvell WiFi driver
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, asavkov, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, joe.lawrence, john.j5live, jonathan, josef, jpoimboe, jross, jshortt, jstancek, jthierry, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rhandlin, rt-maint, rvrbovsk, security-response-team, steved, williams, wmealing, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel's Marvell WiFi chip driver. Where, while parsing vendor-specific informational attributes, an attacker on the same WiFi physical network segment could cause a system crash, resulting in a denial of service, or potentially execute arbitrary code. This flaw affects the network interface at the most basic level meaning the attacker only needs to affiliate with the same network device as the vulnerable system to create an attack path.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-21 20:09:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1775484, 1776609, 1776610, 1776611, 1776612, 1776613, 1776614, 1776615, 1776618, 1776622, 1776623, 1776628, 1776629, 1776607, 1776616, 1776617, 1776619, 1776620, 1776621, 1776624, 1776625, 1776626, 1776627, 1776630, 1776642, 1776650, 1776651, 1776652, 1776653, 1776654, 1776655, 1776656, 1776657, 1776658    
Bug Blocks: 1744150    

Description Marian Rehak 2019-08-21 12:54:03 UTC
There is heap-based buffer overflow in marvell wifi chip driver in Linux kernel while parsing vendor specific infomormational attributes allows an attacker on the same wifi physical network segment to cause a denial of service(system crash) or possibly execute arbitrary code.

Comment 2 msiddiqu 2019-08-28 19:57:55 UTC
Acknowledgments:

Name: Huangwen (ADLab of Venustech)

Comment 3 msiddiqu 2019-08-28 20:01:37 UTC
References: 

https://www.openwall.com/lists/oss-security/2019/08/28/1

Comment 10 Wade Mealing 2019-11-26 05:07:50 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1776607]

Comment 14 Wade Mealing 2019-11-26 05:35:37 UTC
Mitigation:

At this time there is no mitigation to the flaw, if you are able to disable wireless and your system is able to work this will be a temporary mitigation until a kernel update is available for installation.

Comment 17 Justin M. Forbes 2019-11-26 14:04:17 UTC
This was fixed for Fedora with the 5.2.17 stable kernel update.

Comment 20 errata-xmlrpc 2020-01-21 15:50:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0174 https://access.redhat.com/errata/RHSA-2020:0174

Comment 21 Product Security DevOps Team 2020-01-21 20:09:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14816

Comment 22 errata-xmlrpc 2020-01-22 21:26:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0204 https://access.redhat.com/errata/RHSA-2020:0204