ghsa-3598-6xhq-v9q3
Vulnerability from github
Published
2024-12-27 15:31
Modified
2024-12-27 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan()

Replace one-element array with a flexible-array member in struct mwifiex_ie_types_wildcard_ssid_params to fix the following warning on a MT8173 Chromebook (mt8173-elm-hana):

[ 356.775250] ------------[ cut here ]------------ [ 356.784543] memcpy: detected field-spanning write (size 6) of single field "wildcard_ssid_tlv->ssid" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1) [ 356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex]

The "(size 6)" above is exactly the length of the SSID of the network this device was connected to. The source of the warning looks like:

ssid_len = user_scan_in->ssid_list[i].ssid_len;
[...]
memcpy(wildcard_ssid_tlv->ssid,
       user_scan_in->ssid_list[i].ssid, ssid_len);

There is a #define WILDCARD_SSID_TLV_MAX_SIZE that uses sizeof() on this struct, but it already didn't account for the size of the one-element array, so it doesn't need to be changed.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-56539"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T14:15:33Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan()\n\nReplace one-element array with a flexible-array member in `struct\nmwifiex_ie_types_wildcard_ssid_params` to fix the following warning\non a MT8173 Chromebook (mt8173-elm-hana):\n\n[  356.775250] ------------[ cut here ]------------\n[  356.784543] memcpy: detected field-spanning write (size 6) of single field \"wildcard_ssid_tlv-\u003essid\" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1)\n[  356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex]\n\nThe \"(size 6)\" above is exactly the length of the SSID of the network\nthis device was connected to. The source of the warning looks like:\n\n    ssid_len = user_scan_in-\u003essid_list[i].ssid_len;\n    [...]\n    memcpy(wildcard_ssid_tlv-\u003essid,\n           user_scan_in-\u003essid_list[i].ssid, ssid_len);\n\nThere is a #define WILDCARD_SSID_TLV_MAX_SIZE that uses sizeof() on this\nstruct, but it already didn\u0027t account for the size of the one-element\narray, so it doesn\u0027t need to be changed.",
  "id": "GHSA-3598-6xhq-v9q3",
  "modified": "2024-12-27T15:31:53Z",
  "published": "2024-12-27T15:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56539"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1de0ca1d7320a645ba2ee5954f64be08935b002a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/581261b2d6fdb4237b24fa13f5a5f87bf2861f2c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5fa329c44e1e635da2541eab28b6cdb8464fc8d1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a09760c513ae0f98c7082a1deace7fb6284ee866"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b466746cfb6be43f9a1457bbee52ade397fb23ea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c4698ef8c42e02782604bf4f8a489dbf6b0c1365"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d241a139c2e9f8a479f25c75ebd5391e6a448500"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d7774910c5583e61c5fe2571280366624ef48036"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e2de22e4b6213371d9e76f74a10ce817572a8d74"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.