1832530 – (CVE-2020-12654) CVE-2020-12654 kernel: heap-based buffer overflow in mwifiex_ret_wmm_get_status function in drivers/net/wireless/marvell/mwifiex/wmm.c

Bug 1832530 (CVE-2020-12654) - CVE-2020-12654 kernel: heap-based buffer overflow in mwifiex_ret_wmm_get_status function in drivers/net/wireless/marvell/mwifiex/wmm.c

Summary: CVE-2020-12654 kernel: heap-based buffer overflow in mwifiex_ret_wmm_get_stat...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-12654
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1807052 1832531 1844063 1844065 1844066 1844067 1844068 1844069 1844070 1844071 1844072 1844073 1844074 1844075 1844076 1844077 1844078 1844079 1844080 1844081 1844082 1844083
Blocks:	1832532
TreeView+	depends on / blocked

Reported:	2020-05-06 19:19 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-12-15 17:50 UTC (History)
CC List:	48 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Linux kernel. The Marvell mwifiex driver allows a remote WiFi access point to trigger a heap-based memory buffer overflow due to an incorrect memcpy operation. The highest threat from this vulnerability is to data integrity and system availability.
Clone Of:
Environment:
Last Closed:	2020-07-07 13:27:44 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:3086	None	None	None	2020-07-22 01:04:34 UTC
Red Hat Product Errata	RHBA-2020:3235	None	None	None	2020-07-30 01:09:51 UTC
Red Hat Product Errata	RHBA-2020:3236	None	None	None	2020-07-30 02:11:40 UTC
Red Hat Product Errata	RHBA-2020:3249	None	None	None	2020-07-30 14:36:51 UTC
Red Hat Product Errata	RHBA-2020:3551	None	None	None	2020-08-25 14:35:52 UTC
Red Hat Product Errata	RHBA-2020:3552	None	None	None	2020-08-25 14:40:22 UTC
Red Hat Product Errata	RHSA-2020:2832	None	None	None	2020-07-07 08:36:54 UTC
Red Hat Product Errata	RHSA-2020:3010	None	None	None	2020-07-21 11:05:11 UTC
Red Hat Product Errata	RHSA-2020:3016	None	None	None	2020-07-21 11:23:27 UTC
Red Hat Product Errata	RHSA-2020:3041	None	None	None	2020-07-21 14:32:31 UTC
Red Hat Product Errata	RHSA-2020:3220	None	None	None	2020-07-29 18:19:01 UTC
Red Hat Product Errata	RHSA-2020:3221	None	None	None	2020-07-29 18:19:49 UTC
Red Hat Product Errata	RHSA-2020:3222	None	None	None	2020-07-29 19:37:19 UTC
Red Hat Product Errata	RHSA-2020:3224	None	None	None	2020-07-29 20:26:22 UTC
Red Hat Product Errata	RHSA-2020:3226	None	None	None	2020-07-29 20:47:03 UTC
Red Hat Product Errata	RHSA-2020:3232	None	None	None	2020-07-29 21:36:23 UTC
Red Hat Product Errata	RHSA-2020:3389	None	None	None	2020-08-11 07:15:55 UTC
Red Hat Product Errata	RHSA-2020:3432	None	None	None	2020-08-12 11:41:11 UTC

Description Guilherme de Almeida Suckevicz 2020-05-06 19:19:17 UTC

An issue was found in Linux kernel before 5.5.4. mwifiex_ret_wmm_get_status() in drivers/net/wireless/marvell/mwifiex/wmm.c allows a remote AP to trigger a heap-based buffer overflow because of an incorrect memcpy.

Reference and upstream commit:
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.4
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3a9b153c5591548612c3955c9600a98150c81875

Comment 1 Guilherme de Almeida Suckevicz 2020-05-06 19:19:57 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1832531]

Comment 2 Justin M. Forbes 2020-05-06 21:18:59 UTC

This was fixed for Fedora with the 5.4.20 stable kernel updates.

Comment 5 errata-xmlrpc 2020-07-07 08:36:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:2832 https://access.redhat.com/errata/RHSA-2020:2832

Comment 6 Product Security DevOps Team 2020-07-07 13:27:44 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12654

Comment 8 errata-xmlrpc 2020-07-21 11:05:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3010 https://access.redhat.com/errata/RHSA-2020:3010

Comment 9 errata-xmlrpc 2020-07-21 11:23:18 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3016 https://access.redhat.com/errata/RHSA-2020:3016

Comment 10 errata-xmlrpc 2020-07-21 14:32:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3041 https://access.redhat.com/errata/RHSA-2020:3041

Comment 11 errata-xmlrpc 2020-07-29 18:18:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3220 https://access.redhat.com/errata/RHSA-2020:3220

Comment 12 errata-xmlrpc 2020-07-29 18:19:45 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3221 https://access.redhat.com/errata/RHSA-2020:3221

Comment 13 errata-xmlrpc 2020-07-29 19:37:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3222 https://access.redhat.com/errata/RHSA-2020:3222

Comment 14 errata-xmlrpc 2020-07-29 20:26:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3224 https://access.redhat.com/errata/RHSA-2020:3224

Comment 15 errata-xmlrpc 2020-07-29 20:46:59 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:3226 https://access.redhat.com/errata/RHSA-2020:3226

Comment 16 errata-xmlrpc 2020-07-29 21:36:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:3232 https://access.redhat.com/errata/RHSA-2020:3232

Comment 17 errata-xmlrpc 2020-08-11 07:15:50 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2020:3389 https://access.redhat.com/errata/RHSA-2020:3389

Comment 18 errata-xmlrpc 2020-08-12 11:41:05 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:3432 https://access.redhat.com/errata/RHSA-2020:3432

Comment 21 RaTasha Tillery-Smith 2021-04-23 11:55:06 UTC

Mitigation:

In order to mitigate this issue, it is possible to prevent the affected code from being loaded by blacklisting the kernel module mwifiex. For instructions relating to how to blacklist a kernel module, refer to: https://access.redhat.com/solutions/41278

Note You need to log in before you can comment on or make changes to this bug.

acaringi
airlied
bhu
blc
bmasney
brdeoliv
bskeggs
dhoward
dvlasenk
esammons
fhrbata
hdegoede
hkrzesin
iboverma
ichavero
itamar
jarodwilson
jeremy
jforbes
jglisse
jlelli
john.j5live
jonathan
josef
jross
jshortt
jstancek
jwboyer
kcarcia
kernel-maint
kernel-mgr
kyoshida
labbott
lgoncalv
linville
masami256
matt
mchehab
mcressma
mjg59
mlangsdo
nmurray
ptalbert
qzhao
rt-maint
rvrbovsk
steved
williams