There was a memory overflow and data corruption flaw seen in the Mediatek MT76 driver module for wifi in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c. In this problem an oversized packet with too many rx fragments causes an overflow and a corruption in memory of adjacent pages. A local attacker with special user (or root) privilege can cause a DoS or a leak of internal kernel information. Reference: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.10 Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b102f0c522cf668c8382c56a4f771b37d011cda2
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1831703]
This was fixed for Fedora with the 5.5.10 stable kernel updates.
Mitigation: Mitigation for this issue is to skip loading the affected module mt76 onto the system until we have a fix available. This can be done by a blacklist mechanism and ensures the driver is not loaded at the boot time. ~~~ How do I blacklist a kernel module to prevent it from loading automatically? https://access.redhat.com/solutions/41278 ~~~
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431