Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 03 Apr 2021 08:38:53 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 254737] Missing size checks in ieee80211_ioctl_set80211() could lead to an heap overflow
Message-ID:  <bug-254737-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254737

            Bug ID: 254737
           Summary: Missing size checks in ieee80211_ioctl_set80211()
                    could lead to an heap overflow
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: cutesmilee.research@protonmail.com

ieee80211_ioctl_set80211() can be called with ioctl() with SIOCS80211 type =
by
root user (there's ieee80211_priv_check_vap_manage() which checks for
PRIV_NET80211_VAP_MANAGE, and from my understading it's root only).
with i_type set to IEEE80211_IOC_MLME, ieee80211_ioctl_setmlme() will be ca=
lled
using user provided ireq and vap structs.
ireq->i_data (which is user controlled) is copied to a stack struct struct
ieee80211req_mlme, and if (vap->iv_opmode is set to IEEE80211_M_IBSS or
IEEE80211_M_AHDEMO and mlme.im_op is set to IEEE80211_MLME_ASSOC,
setmlme_assoc_adhoc() will be called with mlme fields which are user contro=
lled
(mlme.im_macaddr, mlme.im_ssid_len and mlme.im_ssid).
now struct ieee80211_scan_req is allocated in the heap (it's 128 bytes larg=
e),
and some memcpy()s are performed, the last one is the most interesting one
since it copies user provided ssid, with ssid_len (which is a uint8_t so ca=
n be
255 at max) to the previously allocated struct (actually to the last field,
which is a 108 bytes struct), since the size can be 255, and there're no bo=
unds
checks (just one that checks that it isn't 0) an heap overflow up to 147 by=
tes
(255 - 108) can be triggered, and I think it's big enough to be exploited.
at the moment I wasn=E2=80=99t able to make a poc.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-254737-227>