CVE-2024-56539 - Linux Kernel Wifi Vulnerability in Marvell mwifiex Driver (memcpy Field-Spanning Write)

CVE-2024-56539 is a vulnerability found and fixed in the Linux kernel's Marvell mwifiex WiFi driver. This issue could allow writing beyond the boundaries of a structure, possibly leading to data corruption, crashes, or other undefined behavior.

The vulnerability was flagged when a warning appeared on a Chromebook device using the MT8173 platform. The warning was due to the way the driver handled WiFi SSIDs (network names) during scanning.

What’s the Bug?

The bug relates to how SSIDs are stored and copied during a WiFi scan. In the function mwifiex_config_scan(), the driver would copy the SSID from the user input list to a field in its internal data structure. The problem is, the destination for the SSID was defined as a fixed one-element array, but sometimes more data would be written into it using memcpy. If the SSID was longer than one character, this would cause the code to overrun the memory boundary.

Here’s the warning you might see

------------[ cut here ]------------
memcpy: detected field-spanning write (size 6) of single field "wildcard_ssid_tlv->ssid" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1)
WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+x4fc/xf28 [mwifiex]

Notice how memcpy is writing 6 bytes where only 1 byte is allocated.

The root of the problem was the use of a fixed one-element array for the SSID

struct mwifiex_ie_types_wildcard_ssid_params {
    struct mwifiex_ie_types_header header;
    u8 max_ssid_length;
    u8 ssid_length;
    u8 ssid[1]; // <-- Only 1 byte allocated
};

Then, during scanning, code would do

ssid_len = user_scan_in->ssid_list[i].ssid_len;
memcpy(wildcard_ssid_tlv->ssid,
       user_scan_in->ssid_list[i].ssid, ssid_len);

If ssid_len is greater than 1 (commonly up to 32, the max for WiFi SSIDs), this would overwrite memory past the struct. This triggers kernel warnings and could be a vector for attacks or accidental memory corruption.

The Fix

To address this, the one-element ssid array was replaced by a flexible array member. This is a C99 feature that lets you declare an array with no size at the end of a struct, indicating “this is where the rest of the data goes.”

Fixed code

struct mwifiex_ie_types_wildcard_ssid_params {
    struct mwifiex_ie_types_header header;
    u8 max_ssid_length;
    u8 ssid_length;
    u8 ssid[]; // <-- Flexible-array member, no fixed size
};

This tells the compiler and tools that extra data will be placed here, preventing warnings about writing past the end of a field.

Exploit Details

This specific bug itself is not a straightforward, remote exploit, but it’s serious for system stability and potential attack scenarios:

- Denial of Service: If an attacker could influence the WiFi scan data (for example, through a malicious program or improperly validated user input), they could crash the kernel or trigger undefined behavior.
- Potential Privilege Escalation: Overwritten memory in the kernel could be exploited in chain with other vulnerabilities, though there’s no public exploit for this exact case as of now.

Example Proof of Concept (PoC)

While a direct exploit for this issue is unlikely unless you have local access or root, you could observe the kernel warning by configuring a user-supplied WiFi SSID with a length larger than 1 and triggering a scan.

Here’s a very simplified snippet to demonstrate the mechanics

// Unsafe: causes field-spanning write in the vulnerable version

struct mwifiex_ie_types_wildcard_ssid_params *wildcard_ssid_tlv;
u8 ssid[6] = "hello!"; // 6 bytes including null
int ssid_len = 6;
wildcard_ssid_tlv = kmalloc(sizeof(*wildcard_ssid_tlv) + ssid_len, GFP_KERNEL);

// Fill in header and lengths...

memcpy(wildcard_ssid_tlv->ssid, ssid, ssid_len); // This writes 6 bytes into a 1-byte array

With the patch, the structure is defined using ssid[], so the memory is correctly allocated.

References

- Linux Kernel Patch Discussion
- Linux Maintainers Patch Commit
- Flexible Array Members in C
- CVE Details for CVE-2024-56539

How to Protect Your System

- Update your kernel: Make sure to use a kernel version that includes this patch or newer. Most major distros will backport security fixes soon after disclosure.

Check your hardware: If you use devices with Marvell WiFi chips, this bug is relevant.

- Monitor dmesg logs: Check your kernel logs for warnings like those above (“memcpy: detected field-spanning write…”).

Conclusion

CVE-2024-56539 is a good example of how even small code mistakes in kernel drivers can lead to bigger security issues down the road. If you maintain Linux systems or work with WiFi chipsets, make sure you’re running updated kernels with this fix. Programmers can avoid similar bugs by using flexible array members for structures meant to hold variable-length data.

Timeline

Published on: 12/27/2024 14:15:33 UTC
Last modified on: 05/04/2025 09:57:43 UTC