CVE-2024-56539: Linux Kernel's WiFi Vulnerability Resolved in mwifiex_config_scan()

A vulnerability was detected in the Linux kernel, specifically within the wifi subsystem. The issue occurs when using memcpy() function, generating a warning during the memcpy() field-spanning write process in mwifiex_config_scan(). This vulnerability affects the MT8173 Chromebook (mt8173-elm-hana) and has been resolved with a recent update to the mwifiex driver.

Details

The vulnerability triggering the memcpy() warning appears to be related to the structure "mwifiex_ie_types_wildcard_ssid_params," which contains a one-element array. By replacing the single-element array with a flexible-array member, the warning is resolved.

The warning message is as follows

[  356.775250] ------------[ cut here ]------------
[  356.784543] memcpy: detected field-spanning write (size 6) of single field "wildcard_ssid_tlv->ssid" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1)
[  356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+x4fc/xf28 [mwifiex]

The source code, which triggers the warning, looks like

ssid_len = user_scan_in->ssid_list[i].ssid_len;
[...]
memcpy(wildcard_ssid_tlv->ssid,
       user_scan_in->ssid_list[i].ssid, ssid_len);

However, even though there is a #define WILDCARD_SSID_TLV_MAX_SIZE that uses the sizeof() function on this struct, it does not account for the size of the one-element array. This issue was resolved without changing the WILDCARD_SSID_TLV_MAX_SIZE.

Exploit Details

Attack: The vulnerability creates a potential risk for incorrect memory copying, which can be exploited to compromise the stability and security of the wifi subsystem.

Impact: An attacker could induce incorrect memory copying, leading to crashes, errors, or data leaks in the affected wifi subsystem.

Resolution: The fix for this issue is to replace the one-element array in the "mwifiex_ie_types_wildcard_ssid_params" struct with a flexible-array member.

References

1. Linux Kernel source code: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
2. MT8173 Chromebook: https://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices/mt8173-elm/
3. Marvell mwifiex driver: https://wireless.wiki.kernel.org/en/users/drivers/mwifiex

Conclusion

The Linux kernel's wifi vulnerability (CVE-2024-56539) was detected and resolved by replacing the one-element array with a flexible-array member in the 'mwifiex_ie_types_wildcard_ssid_params' structure, thereby eliminating the memcpy() field-spanning write warning. System administrators and users of Linux kernel systems, specifically those using MT8173 Chromebook with the mwifiex wifi driver, are advised to update to the latest kernel to mitigate potential risks. As always, it is important to stay vigilant and keep your systems up-to-date to minimize the chances of being affected by vulnerabilities.

Timeline

Published on: 12/27/2024 14:15:33 UTC
Last modified on: 01/20/2025 06:22:30 UTC