Bug 1832530 (CVE-2020-12654) - CVE-2020-12654 kernel: heap-based buffer overflow in mwifiex_ret_wmm_get_status function in drivers/net/wireless/marvell/mwifiex/wmm.c
Summary: CVE-2020-12654 kernel: heap-based buffer overflow in mwifiex_ret_wmm_get_stat...
Status: NEW
Alias: CVE-2020-12654
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1807052 1844063 1844065 1844066 1844067 1844068 1844069 1844070 1844071 1844072 1844073 1844075 1844076 1844077 1844078 1844079 1844080 1844082 1844083 1832531 1844074 1844081
Blocks: 1832532
TreeView+ depends on / blocked
Reported: 2020-05-06 19:19 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-06-04 17:11 UTC (History)
48 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. The Marvell mwifiex driver allows a remote WiFi access point to trigger a heap-based memory buffer overflow due to an incorrect memcpy operation. The highest threat from this vulnerability is to data integrity and system availability.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-05-06 19:19:17 UTC
An issue was found in Linux kernel before 5.5.4. mwifiex_ret_wmm_get_status() in drivers/net/wireless/marvell/mwifiex/wmm.c allows a remote AP to trigger a heap-based buffer overflow because of an incorrect memcpy.

Reference and upstream commit:

Comment 1 Guilherme de Almeida Suckevicz 2020-05-06 19:19:57 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1832531]

Comment 2 Justin M. Forbes 2020-05-06 21:18:59 UTC
This was fixed for Fedora with the 5.4.20 stable kernel updates.

Comment 3 Petr Matousek 2020-06-04 14:54:19 UTC

In order to mitigate this issue it is possible to prevent the affected code from being loaded by blacklisting the kernel module mwifiex. For instructions relating to how to blacklist a kernel module refer to: https://access.redhat.com/solutions/41278

Note You need to log in before you can comment on or make changes to this bug.