Bug 1170888

Summary: VUL-0: CVE-2020-12465: kernel-source: array overflow in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c, aka CID-b102f0c522cf
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: E-mail List <kernel-maintainers>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: atoptsoglou, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/258833/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-04-30 07:40:55 UTC 
CVE-2020-12465

An array overflow was discovered in mt76_add_fragment in
drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka
CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt
memory of adjacent pages.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12465
https://github.com/torvalds/linux/commit/b102f0c522cf668c8382c56a4f771b37d011cda2
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.10
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b102f0c522cf668c8382c56a4f771b37d011cda2
Comment 1 Alexandros Toptsoglou 2020-04-30 07:47:15 UTC 
tracked at bsc#1170828

*** This bug has been marked as a duplicate of bug 1170828 ***