Bug 1590799 - (CVE-2018-5848) CVE-2018-5848 kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption
CVE-2018-5848 kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20171202,repor...
: Security
Depends On: 1590841 1590842 1590843 1591237
Blocks: 1590623
  Show dependency treegraph
 
Reported: 2018-06-13 08:20 EDT by Vladis Dronov
Modified: 2018-07-09 09:58 EDT (History)
19 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
In the function wmi_set_ie() in the Linux kernel the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the ‘ie_len’ argument can cause a buffer overflow and thus a memory corruption leading to a system crash or other or unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vladis Dronov 2018-06-13 08:20:42 EDT
In the function wmi_set_ie() in the Linux kernel the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the ‘ie_len’ argument can cause a buffer overflow and thus a memory corruption leading to a system crash or other or unspecified impact.

References:

https://www.codeaurora.org/security-bulletin/2018/05/11/may-2018-code-aurora-security-bulletin-2#_CVE-2018-5848

https://marc.info/?l=linux-wireless&m=151066597529493&w=2

An upstream fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b5a8ffcae4103a9d823ea3aa3a761f65779fbe2a

Note You need to log in before you can comment on or make changes to this bug.