1590799 – (CVE-2018-5848) CVE-2018-5848 kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption

Bug 1590799 (CVE-2018-5848) - CVE-2018-5848 kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption

Summary: CVE-2018-5848 kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-5848
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1590841 1590842 1590843 1591237 1740304 1740305 1740306
Blocks:	1590623
TreeView+	depends on / blocked

Reported:	2018-06-13 12:20 UTC by Vladis Dronov
Modified:	2021-02-17 00:08 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	In the function wmi_set_ie() in the Linux kernel the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the ‘ie_len’ argument can cause a buffer overflow and thus a memory corruption leading to a system crash or other or unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
Clone Of:
Environment:
Last Closed:	2019-06-10 10:28:51 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:2948	None	None	None	2018-10-30 09:02:11 UTC
Red Hat Product Errata	RHSA-2018:3083	None	None	None	2018-10-30 07:34:23 UTC
Red Hat Product Errata	RHSA-2018:3096	None	None	None	2018-10-30 07:40:32 UTC

Description Vladis Dronov 2018-06-13 12:20:42 UTC

In the function wmi_set_ie() in the Linux kernel the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the ‘ie_len’ argument can cause a buffer overflow and thus a memory corruption leading to a system crash or other or unspecified impact.

References:

https://www.codeaurora.org/security-bulletin/2018/05/11/may-2018-code-aurora-security-bulletin-2#_CVE-2018-5848

https://marc.info/?l=linux-wireless&m=151066597529493&w=2

An upstream fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b5a8ffcae4103a9d823ea3aa3a761f65779fbe2a

Comment 5 errata-xmlrpc 2018-10-30 07:34:12 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3083 https://access.redhat.com/errata/RHSA-2018:3083

Comment 6 errata-xmlrpc 2018-10-30 07:40:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3096 https://access.redhat.com/errata/RHSA-2018:3096

Comment 7 errata-xmlrpc 2018-10-30 09:02:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948

Note You need to log in before you can comment on or make changes to this bug.