Bug 1763690 (CVE-2019-17666)

Summary: CVE-2019-17666 kernel: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain upper-bound check, leading to a buffer overflow
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, asavkov, bdettelb, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, joe.lawrence, john.j5live, jonathan, josef, jpoimboe, jross, jschorr, jshortt, jstancek, jthierry, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, mmilgram, nmurray, plougher, pmatouse, rhandlin, rtillery, rt-maint, rvrbovsk, steved, williams, wmealing, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.3.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of the RealTek wireless drivers WiFi-direct (or WiFi peer-to-peer) driver implementation. When the RealTek wireless networking hardware is configured to accept WiFi-Direct or WiFi P2P connections, an attacker within the wireless network connectivity radio range can exploit a flaw in the WiFi-direct protocol known as "Notice of Absence" by creating specially crafted frames which can then corrupt kernel memory as the upper bounds on the length of the frame is unchecked and supplied by the incoming packet.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-04 14:09:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1763692, 1775221, 1775222, 1775223, 1775225, 1775226, 1775227, 1775228, 1775229, 1775230, 1775231, 1775232, 1775233, 1775235, 1775236, 1775237, 1775238, 1775239, 1775240, 1775241, 1775242, 1775243, 1775244, 1775261, 1789842, 1809607    
Bug Blocks: 1763694    

Description Marian Rehak 2019-10-21 11:16:21 UTC
A flaw was found in the Linux kernels implementation of RealTek wireless drivers Wifi-direct (or wifi peer-to-peer) driver implementation.  

When the RealTek wireless networking hardware. is configured to accept Wifi-Direct (or Wifi P2P) connections an attacker within wireless network connectivity radio range is able to exploit a flaw in the Wifi-direct protocol known as "Notice of Absense" by creating specially crafted frames which can corrupt kernel memory as the upper bounds on the lenth of the frame is unchecked and supplied by the incoming packet.

At this time, Red Hat Enterprise Linux 6 and 7 and 8 do not enable Wifi-Direct by default, but a privileged user can use standard command line tooling available to enable this feature allowing it to be attacked.

Comment 1 Marian Rehak 2019-10-21 11:16:42 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1763692]

Comment 11 Marian Rehak 2019-11-25 13:08:19 UTC
Hello!

The information seems to check out, thank you very much for this improvement!

Comment 14 errata-xmlrpc 2020-02-04 08:52:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0328 https://access.redhat.com/errata/RHSA-2020:0328

Comment 15 errata-xmlrpc 2020-02-04 13:12:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0339 https://access.redhat.com/errata/RHSA-2020:0339

Comment 16 Product Security DevOps Team 2020-02-04 14:09:35 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-17666

Comment 18 errata-xmlrpc 2020-02-18 14:43:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:0543 https://access.redhat.com/errata/RHSA-2020:0543

Comment 20 errata-xmlrpc 2020-03-03 10:04:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:0661 https://access.redhat.com/errata/RHSA-2020:0661

Comment 23 errata-xmlrpc 2020-03-09 14:31:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0740 https://access.redhat.com/errata/RHSA-2020:0740

Comment 24 errata-xmlrpc 2020-03-17 10:37:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0831 https://access.redhat.com/errata/RHSA-2020:0831

Comment 25 errata-xmlrpc 2020-03-17 16:16:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0834 https://access.redhat.com/errata/RHSA-2020:0834

Comment 26 errata-xmlrpc 2020-03-17 16:17:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0839 https://access.redhat.com/errata/RHSA-2020:0839

Comment 28 errata-xmlrpc 2020-04-07 09:16:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2020:1353 https://access.redhat.com/errata/RHSA-2020:1353

Comment 29 errata-xmlrpc 2020-04-07 09:33:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:1347 https://access.redhat.com/errata/RHSA-2020:1347

Comment 30 errata-xmlrpc 2020-04-14 14:52:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:1473 https://access.redhat.com/errata/RHSA-2020:1473

Comment 31 errata-xmlrpc 2020-04-14 17:40:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1465 https://access.redhat.com/errata/RHSA-2020:1465

Comment 33 errata-xmlrpc 2020-04-22 07:35:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:1524 https://access.redhat.com/errata/RHSA-2020:1524