1170828 – (CVE-2020-12465) VUL-0: CVE-2020-12465: kernel-source: remotely triggered kernel memory corruption by malformed IEEE 802.11 packet in mt76 driver

Bug 1170828 (CVE-2020-12465) - VUL-0: CVE-2020-12465: kernel-source: remotely triggered kernel memory corruption by malformed IEEE 802.11 packet in mt76 driver

Summary: VUL-0: CVE-2020-12465: kernel-source: remotely triggered kernel memory corrup...

Status:	RESOLVED FIXED
Duplicates (1):	1170888 (view as bug list)

Alias:	CVE-2020-12465

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	x86 Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2020-04-29 13:23 UTC by Oliver Neukum
Modified:	2024-06-25 14:45 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Oliver Neukum 2020-04-29 13:23:17 UTC

This is from upstream but it needs a CVE

b102f0c522cf668c8382c56a4f771b37d011cda2 ("mt76: fix array overflow on receiving too many fragments for a packet")

The number of fragments is determined by the incoming packet. That means that anybody within radio reception can overwrite a part of the kernel's heap.

Strictly speaking only stuff from 4.16 onwards is vulnerable. I will look at older driver code for a similar issue.

Takashi has taken the fix for SLE15-SP2, but this needs to be tracked as a CVE.

Comment 2 Alexandros Toptsoglou 2020-04-30 07:47:15 UTC

*** Bug 1170888 has been marked as a duplicate of this bug. ***

Comment 3 Alexandros Toptsoglou 2020-04-30 07:47:37 UTC

CVE-2020-12465

An array overflow was discovered in mt76_add_fragment in
drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka
CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt
memory of adjacent pages.

Comment 4 Wolfgang Frisch 2020-04-30 07:51:06 UTC

The mt76 wireless driver first appeared in SLE15-SP2 which is already fixed.

Comment 5 Oliver Neukum 2020-04-30 09:24:31 UTC

Added CVE and bsc to patch

Comment 6 Oliver Neukum 2020-04-30 09:58:06 UTC

(In reply to Wolfgang Frisch from comment #4)
> The mt76 wireless driver first appeared in SLE15-SP2 which is already fixed.

Yes, as far as I can tell, the older code is OK.

Comment 7 Marcus Meissner 2020-07-01 12:20:34 UTC

done