In the function wmi_set_ie() in the Linux kernel the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the ‘ie_len’ argument can cause a buffer overflow and thus a memory corruption leading to a system crash or other or unspecified impact. References: https://www.codeaurora.org/security-bulletin/2018/05/11/may-2018-code-aurora-security-bulletin-2#_CVE-2018-5848 https://marc.info/?l=linux-wireless&m=151066597529493&w=2 An upstream fix: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b5a8ffcae4103a9d823ea3aa3a761f65779fbe2a
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3083 https://access.redhat.com/errata/RHSA-2018:3083
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3096 https://access.redhat.com/errata/RHSA-2018:3096
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948