Uno one of the most well-known myths on the net about Linux is the classic "Linux is safe and has no vulnerabilities", But the thing is that this is totally false since both critical and minor bugs on Linux are disclosed (not at the moment but after they have been fixed).
And such the case that recently released the news that three vulnerabilities were identified in the driver for wireless devices based on Marvell chips ( CVE-2019-14814, CVE-2019-14815, CVE-2019-14816) that could lead to data being written out of the allocated buffer when processing specially formatted packets sent through the netlink interface.
About Marvell vulnerabilities
In the case of CVE-2019-14814 this is an overflow in the mwifiex_set_uap_rates () function Marvell Wifi driver in Linux kernel
The problem is inside mwifiex_set_uap_rates () in drivers /net/wireless/marvell/mwifiex/uap_cmd.c.
There are two memcpy calls in this function to copy the element WLAN_EID_SUPP_RATES and WLAN_EID_EXT_SUPP_RATES without checking the length. The dst buffer bss_cfg-> rates is an array of length MWIFIEX_SUPPORTED_RATES.
The two items in cfg80211_ap_settings are from user space.
While for the case of CVE-2019-14815 this is an overflow in mwifiex_set_wmm_params () function in Linux kernel
The problem is inside mwifiex_set_wmm_params () in drivers / net / wireless / marvell / mwifiex / uap_cmd.c.
mwifiex_set_wmm_params () calls memcpy to copy the WLAN_OUI_MICROSOFT element to
bss_cfg-> wmm_info without checking the length.
bss_cfg-> wmm_info is the struct mwifiex_types_wmm_info type.
CVE-2019-14816 in the same way as the previous ones is an overflow of mwifiex_update_vs_ie () in linux kernel
The problem is inside mwifiex_update_vs_ie () in drivers /net/wireless/marvell/mwifiex/ie.c.
mwifiex_set_mgmt_beacon_data_ies () parses beacon IEs, probe response IEs,
Cfg80211_ap_settings-> beacon association response IE, it will call mwifiex_update_vs_ie () twice for each IEs if IEs exist.
For beacon_ies as an example, in the first call, mwifiex_update_vs_ie () alloc and then copy the WLAN_OUI_MICROSOFT element to ie-> ie_buffer,
ie-> ie_buffer is an array of length IEEE_MAX_IE_SIZE (256); On the second call, mwifiex_update_vs_ie () copies the WLAN_OUI_WFA element that was previously assigned. If the sum of the length of the two items is greater than IEEE_MAX_IE_SIZE, it will cause a buffer overflow.
Problems can be exploited by a local user to cause a kernel crash on systems using Marvell wireless cards.
The possibility of that an ill-intentioned person can exploit these vulnerabilities to increase your privileges on the system.
At the moment these problems remain uncorrected (although they were already released several days ago) in the distributions (Debian, Ubuntu, Fedora, RHEL, SUSE).
Although a patch has already been proposed for inclusion in the Linux Kernel for the next
versions.
Vulnerabilities in USB drivers
Google's Andrey Konovalov discovered 15 vulnerabilities in USB drivers offered in the Linux kernel.
This is the second part of the problems encountered during fuzzing tests: in 2017, This researcher found 14 more vulnerabilities in the USB stack.
Problems they can potentially be exploited when specially prepared USB devices are connected to a computer.
An attack eIt is possible if there is physical access to the computer and it can cause at least one kernel crash, but other manifestations are not excluded (for example, for a similar vulnerability identified in 2016, the USB driver snd-usbmidi managed to prepare an exploit to execute code at the kernel level).
Of the 15 problems, 13 have already been fixed in the current Linux kernel updates, But two vulnerabilities (CVE-2019-15290, CVE-2019-15291) remain uncorrected in the latest version 5.2.9.
Unpatched vulnerabilities could lead to NULL pointer dereferencing in ath6kl and b2c2 drivers upon receiving bad data from the device.
Other vulnerabilities include:
- Access to memory areas already freed (use-after-free) in the drivers v4l2-dev / radio-raremono, dvb-usb, sound / core, cpia2 and p54usb;
- Double free memory (double free) in the rio500 controller;
- NULL pointer dereference in yurex, zr364xx, siano / smsusb, sisusbvga, line6 / pcm, motu_microbookii, and line6 drivers.