fkie_cve-2024-56539
Vulnerability from fkie_nvd
Published
2024-12-27 14:15
Modified
2024-12-27 14:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() Replace one-element array with a flexible-array member in `struct mwifiex_ie_types_wildcard_ssid_params` to fix the following warning on a MT8173 Chromebook (mt8173-elm-hana): [ 356.775250] ------------[ cut here ]------------ [ 356.784543] memcpy: detected field-spanning write (size 6) of single field "wildcard_ssid_tlv->ssid" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1) [ 356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex] The "(size 6)" above is exactly the length of the SSID of the network this device was connected to. The source of the warning looks like: ssid_len = user_scan_in->ssid_list[i].ssid_len; [...] memcpy(wildcard_ssid_tlv->ssid, user_scan_in->ssid_list[i].ssid, ssid_len); There is a #define WILDCARD_SSID_TLV_MAX_SIZE that uses sizeof() on this struct, but it already didn't account for the size of the one-element array, so it doesn't need to be changed.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1de0ca1d7320a645ba2ee5954f64be08935b002a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/581261b2d6fdb4237b24fa13f5a5f87bf2861f2c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5fa329c44e1e635da2541eab28b6cdb8464fc8d1
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a09760c513ae0f98c7082a1deace7fb6284ee866
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b466746cfb6be43f9a1457bbee52ade397fb23ea
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c4698ef8c42e02782604bf4f8a489dbf6b0c1365
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d241a139c2e9f8a479f25c75ebd5391e6a448500
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d7774910c5583e61c5fe2571280366624ef48036
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e2de22e4b6213371d9e76f74a10ce817572a8d74
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan()\n\nReplace one-element array with a flexible-array member in `struct\nmwifiex_ie_types_wildcard_ssid_params` to fix the following warning\non a MT8173 Chromebook (mt8173-elm-hana):\n\n[  356.775250] ------------[ cut here ]------------\n[  356.784543] memcpy: detected field-spanning write (size 6) of single field \"wildcard_ssid_tlv-\u003essid\" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1)\n[  356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex]\n\nThe \"(size 6)\" above is exactly the length of the SSID of the network\nthis device was connected to. The source of the warning looks like:\n\n    ssid_len = user_scan_in-\u003essid_list[i].ssid_len;\n    [...]\n    memcpy(wildcard_ssid_tlv-\u003essid,\n           user_scan_in-\u003essid_list[i].ssid, ssid_len);\n\nThere is a #define WILDCARD_SSID_TLV_MAX_SIZE that uses sizeof() on this\nstruct, but it already didn\u0027t account for the size of the one-element\narray, so it doesn\u0027t need to be changed."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: mwifiex: Se corrige la advertencia de escritura que abarca el campo memcpy() en mwifiex_config_scan() Reemplace la matriz de un elemento con un miembro de matriz flexible en `struct mwifiex_ie_types_wildcard_ssid_params` para corregir la siguiente advertencia en una Chromebook MT8173 (mt8173-elm-hana): [ 356.775250] ------------[ cortar aqu\u00ed ]------------ [ 356.784543] memcpy: se detect\u00f3 escritura que abarca el campo (tama\u00f1o 6) del campo \u00fanico \"wildcard_ssid_tlv-\u0026gt;ssid\" en drivers/net/wireless/marvell/mwifiex/scan.c:904 (tama\u00f1o 1) [ 356.813403] ADVERTENCIA: CPU: 3 PID: 742 en drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex] El \"(tama\u00f1o 6)\" anterior es exactamente la longitud del SSID de la red a la que estaba conectado este dispositivo. La fuente de la advertencia se ve as\u00ed: ssid_len = user_scan_in-\u0026gt;ssid_list[i].ssid_len; [...] memcpy(wildcard_ssid_tlv-\u0026gt;ssid, user_scan_in-\u0026gt;ssid_list[i].ssid, ssid_len); Hay un #define WILDCARD_SSID_TLV_MAX_SIZE que usa sizeof() en esta estructura, pero ya no ten\u00eda en cuenta el tama\u00f1o de la matriz de un elemento, por lo que no es necesario cambiarlo."
    }
  ],
  "id": "CVE-2024-56539",
  "lastModified": "2024-12-27T14:15:33.530",
  "metrics": {},
  "published": "2024-12-27T14:15:33.530",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1de0ca1d7320a645ba2ee5954f64be08935b002a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/581261b2d6fdb4237b24fa13f5a5f87bf2861f2c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/5fa329c44e1e635da2541eab28b6cdb8464fc8d1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a09760c513ae0f98c7082a1deace7fb6284ee866"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b466746cfb6be43f9a1457bbee52ade397fb23ea"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c4698ef8c42e02782604bf4f8a489dbf6b0c1365"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d241a139c2e9f8a479f25c75ebd5391e6a448500"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d7774910c5583e61c5fe2571280366624ef48036"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e2de22e4b6213371d9e76f74a10ce817572a8d74"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.