Bug 1773519 (CVE-2019-14901)

Summary: CVE-2019-14901 kernel: heap overflow in marvell/mwifiex/tdls.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, asavkov, bdettelb, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, joe.lawrence, john.j5live, jonathan, josef, jpoimboe, jross, jschorr, jshortt, jstancek, jthierry, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, msiddiqu, nmurray, plougher, qzhao, rhandlin, rt-maint, rvrbovsk, security-response-team, steved, williams, ycote, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A heap overflow flaw was found in the Linux kernel's Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-23 02:10:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1776156, 1776157, 1776158, 1776159, 1776160, 1776161, 1776162, 1776163, 1776165, 1776166, 1776167, 1776168, 1776169, 1776170, 1776171, 1776172, 1776173, 1776174, 1776175, 1776176, 1776184    
Bug Blocks: 1773521    

Description Dhananjay Arunesh 2019-11-18 10:48:37 UTC
A flaw was found in the Linux kernel's Marvell wifi chip driver. A heap overflow in &nbsp;mwifiex_process_tdls_action_frame&nbsp;function in marvell/mwifiex/tdls.c allows remote attackers to cause a denial of service(system crash) or execute arbitrary code. the station receive a tdls setup request or respone frame which the EID_SUPP_RATES IE 's length is larger than 32 will cause Heap Overflow.

Comment 1 Wade Mealing 2019-11-25 05:47:44 UTC
Proposed patch:

https://patchwork.kernel.org/patch/11257535/

Comment 6 msiddiqu 2019-11-25 09:27:51 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1776184]

Comment 8 msiddiqu 2019-11-25 10:26:07 UTC
Acknowledgments:

Name: Huangwen and Wang Qize (ADLab of VenusTech)

Comment 13 errata-xmlrpc 2020-01-22 21:26:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0204 https://access.redhat.com/errata/RHSA-2020:0204

Comment 14 Product Security DevOps Team 2020-01-23 02:10:02 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14901

Comment 15 errata-xmlrpc 2020-02-04 08:52:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0328 https://access.redhat.com/errata/RHSA-2020:0328

Comment 16 errata-xmlrpc 2020-02-04 13:12:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0339 https://access.redhat.com/errata/RHSA-2020:0339

Comment 17 errata-xmlrpc 2020-02-04 19:30:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0374 https://access.redhat.com/errata/RHSA-2020:0374

Comment 18 errata-xmlrpc 2020-02-04 19:30:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0375 https://access.redhat.com/errata/RHSA-2020:0375

Comment 23 errata-xmlrpc 2020-04-16 14:38:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1493 https://access.redhat.com/errata/RHSA-2020:1493