BF Specification of CVE-2019-14814 — Heap Buffer Overflow in Marvell wifi diver in Linux kernel up to excluding v5.3
Missing verification of 'rate_ie->len' towards a upper limit leads to use of an inconsistent size for an object, allowing a pointer reposition over its bounds, which, when used in 'memcpy()' leads to a heap buffer overflow. If exploited, this can lead to denial of service – system crash; and possibly arbitrary code execution.
Missing Code (in in 'mwifiex_set_uap_rates()') to Verify (length) of In Use data using Range mechanism (rate_ie->len > MWIFIEX_SUPPORTED_RATES) in Codebase source code (drivers/net/wireless/marvell/mwifiex/uap_cmd.c#L268) in Admin execution space (Linux kernel of Wifi Driver) leads to Inconsistent Value ('rate_ie->len') error, which propagates to
Wrong Size (in in 'memcpy(..., rate_ie + 1, rate_ie->len)') to Reposition (pointer) on Heap with Used size using Sequential mechanism in Codebase source code (drivers/net/wireless/marvell/mwifiex/uap_cmd.c#L276) in Kernel execution space (Linux kernel of Wifi Driver) that results in Overbound Pointer ('rate_ie + 1') error, which propagates to
Overbound Pointer (in in 'ptr->offsets[entries] = gf_bs_read_u64(bs);') to Write (object) Huge address span on Heap with Used size using Sequential mechanism in Third-Party source code (src/isomedia/box_code_base.c#L58) in Userland execution space that results in Buffer Overflow final error, which can be exploited toward
Arbitrary Code Execution (ACE) (Everything Could be Lost) or Denial of Service (DOS) (Availability Loss) security failure.
Wrong Size (in in 'memcpy(..., rate_ie + 1, rate_ie->len)') to Reposition (pointer) on Heap with Used size using Sequential mechanism in Codebase source code (drivers/net/wireless/marvell/mwifiex/uap_cmd.c#L276) in Kernel execution space (Linux kernel of Wifi Driver) that results in Overbound Pointer ('rate_ie + 1') error, which propagates to
Overbound Pointer (in in 'ptr->offsets[entries] = gf_bs_read_u64(bs);') to Write (object) Huge address span on Heap with Used size using Sequential mechanism in Third-Party source code (src/isomedia/box_code_base.c#L58) in Userland execution space that results in Buffer Overflow final error, which can be exploited toward
Arbitrary Code Execution (ACE) (Everything Could be Lost) or Denial of Service (DOS) (Availability Loss) security failure.
|
| Class | Definition |
| DVR | Data Verification (DVR) class – Data are verified (i.e., semantics check) or corrected (i.e., assign or remove) improperly. |
| MAD | Memory Addressing (MAD) class – The pointer to an object is initialized, dereferenced, repositioned, or reassigned to an improper memory address. |
| MUS | Memory Use (MUS) class – An object is initialized, read, written, or cleared improperly. |
| Operation | Definition |
| Verify | Verify operation – Check data semantics (e.g., proper value/meaning) in order to accept (and possibly correct) or reject it. |
| Reposition | Reposition operation – Change the pointer to another position inside its object. |
| Write | Write operation – Change the data value of an object in memory to another meaningful value. |
| Cause/Consequence | Definition |
| Code Bug | Code Bug type – An error in the implementation of an operation – proper operands over an improper operation. It is the roor cause of a security vulnerability. Must be fixed to resolve the vulnerability. |
| Missing Code | Missing Code bug - The operation is misplaced entirely absent. |
| Data Error/Fault | Data error (or fault) type – The data of an object has harmed semantics or inconsistent or wrong value. |
| Inconsistent Value | Inconsistent Value error (or fault) – The data value does not correspond to related data value (e.g., inconstancy between the value of a size variable and the actual buffer size). |
| Wrong Size | Wrong Size error (or fault) – The value used as size or length (i.e., the number of elements) does not match the object's memory size or length (e.g., to limit a pointer reposition or index increment/decrement in a repetition statement). |
| Overbound Pointer | |
| Injection Final Error | Injection final error/exploit vector type – An exploitable or undefined system behavior caused by validation or sanitization bugs. |
| Buffer Overflow | |
| Operation Attribute | Definition |
| Mechanism | Mechanism operation attribute type – Shows how the operation with a bug or faulty operand is performed. |
| Range | Range operation attribute – The operation checks data are within a (min, max) interval. |
| Sequential | Sequential operation attribute – The operation is via iterating over the object elements. |
| Source Code | Source Code operation attribute type – Shows where the code of the operation with a bug or faulty operand resides within the software, firmware, or hardware. |
| Codebase | Codebase operation attribute – The operation is in the programmer's code - in the application itself. |
| Third-Party | Third-Party operation attribute – The operation code is in a third-party library, generated code, development tool, protocol stack, OS, etc. |
| Execution Space | Execution Space operation attribute type – Shows where the operation with a bug or faulty operand is executed and the privilege level at which it runs. |
| Admin | Admin operation attribute – The bugged code runs in an environment with access control policy with unlimited (admin user) permission. |
| Kernel | Kernel operation attribute – The bugged code runs in an environment with privilege levels with access privileged instructions (e.g., ring 0 in x86 architecture). |
| Userland | Userland operation attribute – The bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture). |
| Operand Attribute | Definition |
| Data State | Data State operand attribute type – Shows where the data comes from. |
| In Use | In Use operand attribute – Data are from a volatile storage (e.g., RAM, cache memory). |
| Address State | Address State operand attribute type – Shows where the address is (i.e., its location) in the memory layout. |
| Heap | The object is a dynamically allocated data structure (e.g., via malloc() or new). |
| Size Kind | Size Kind operand attribute type – Shows what is used as the size or length (i.e., the number of elements) of an object - e.g., as the limit for traversal over the elements. |
| Used | Used operand attribute – A supplied value to be used as the size or length (i.e., the number of elements) of an object. |
| Address Kind | Address Kind operand attribute type - Shows how much memory is accessed (i.e., the span) outside of a bound of an object. |
| Huge | More than 1KB of memory is accessed. |
| BFFailure | Definition |
| ACE | Arbitrary Code Execution (ACE) – Execution of unauthorized commands or code execution that could lead to everything being lost; remote code execution (RCE) is a sub-case of ACE on a target system or device from a remote location, typically over a network. |
| DOS | Denial of Service (DOS) – Disruption of access to or use of information or information systems that leads to availability loss. |