ASA-2019-00572 – Linux kernel: Buffer overflow when copying SSID to userspace in cfg80211

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00572

Identifier(s)

ASA-2019-00572, CVE-2019-17133

Title

Buffer overflow when copying SSID to userspace in cfg80211

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 5.4-rc4

Linux kernel 4.4.x versions before 4.4.198
Linux kernel 4.9.x versions before 4.9.198
Linux kernel 4.14.x versions before 4.14.151
Linux kernel 4.19.x versions before 4.19.81

Fixed version(s)

Linux kernel version 5.4-rc4

Linux kernel version 4.4.198
Linux kernel version 4.9.198
Linux kernel version 4.14.151
Linux kernel version 4.19.81

Linux kernel with the following commit:

cfg80211: wext: avoid copying malformed SSIDs
https://github.com/torvalds/linux/commit/4ac2813cc867ae563a1ba5a9414bfb554e5796fa

Proof of concept

Unknown

Description

The function cfg80211_mgd_wext_giwessid() in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a buffer overflow when copying to userspace.

Technical details

The SSID element is not bounds-checked prior to invoking memcpy() with its length field.

Credits

Nicolas Waisman (Semmle Security Research)

Reference(s)

[PATCH 2/2] cfg80211: wext: Reject malformed SSID elements
https://marc.info/?l=linux-wireless&m=157018270915487&w=2

cfg80211: wext: avoid copying malformed SSIDs
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/net/wireless/wext-sme.c?id=4ac2813cc867ae563a1ba5a9414bfb554e5796fa

cfg80211: wext: avoid copying malformed SSIDs
https://github.com/torvalds/linux/commit/4ac2813cc867ae563a1ba5a9414bfb554e5796fa

Linux 5.4-rc4
https://lwn.net/Articles/802742/

Linux 4.4.198
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.198

Linux 4.9.198
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.198

Linux 4.14.151
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.151

Linux 4.19.81
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.81

CVE-2019-17133 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17133.html

CVE-2019-17133 | SUSE
https://www.suse.com/security/cve/CVE-2019-17133

CVE-2019-17133
https://security-tracker.debian.org/tracker/CVE-2019-17133

CVE-2019-17133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17133

CVE-2019-17133
https://nvd.nist.gov/vuln/detail/CVE-2019-17133

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 11, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.