¡¾Ô­´´·ì϶¡¿LinuxÄÚºËMarvell WI-FIоƬÇý¶¯·ì϶£¨CVE-2019-3846/CVE-2019-10126£©

°ä²¼¹¦·ò 2019-06-10

·ì϶¸ÅÊö



Marvell Avastar802.11acµÍ¹¦ºÄÎÞÏßоƬϵÁÐÖØÒªÀûÓÃÓڱʼDZ¾µçÄÔ¡¢ÖÇÄÜÊÖ»ú¡¢ÓÎÏ·É豸¡¢Â·ÓÉÆ÷ºÍÎïÁªÍøÉ豸µÈ £¬£¬ £¬£¬ £¬£¬ £¬£¬ÈçSurface Pro¡¢Surface laptop¡¢Samsung Chromebook¡¢Galaxy J1¡¢Sony PlayStation 4¡¢Xbox One¡£¡£¡£¡£¡£¡£


LinuxÄÚºËMarvell AvastarϵÁÐоƬ£¨88W8766/88W8797/88W8897/88W8997£©Çý¶¯´æÔÚÔ¶³ÌÒç¶Âí½ÅCVE-2019-3846ºÍ±¾µØÒç¶Âí½ÅCVE-2019-10126 £¬£¬ £¬£¬ £¬£¬ £¬£¬¿Éµ¼Ö»ؾø·þÎñ£¨ÏµÍ³±ÀÀ££©»òËÁÒâ´úÂëÖ´ÐÐ £¬£¬ £¬£¬ £¬£¬ £¬£¬8827Ì«Ñô¼¯ÍÅADLabÒѵÚÒ»¹¦·òÌá½»³§É̽øÐн¨¸´¡£¡£¡£¡£¡£¡£


·ì϶ӰÏìÁìÓò



Linux kernel 3.2~Linux kernel 5.1


·ì϶·ÖÎö



ÐÅÏ¢ÔªËØ£¨Information Element £¬£¬ £¬£¬ £¬£¬ £¬£¬IE£©ÊÇIEEE 802.11ÖÎÀíÖ¡µÄ×é³É²¿ÃÅ¡£¡£¡£¡£¡£¡£APºÍSTAͨ¹ýIE»¥»»ÐÅ· £¬£¬ £¬£¬ £¬£¬ £¬£¬ËÙ¶ÈÒÔ¼°¼ÓÃÜËã·¨µÈÐÅÏ¢¡£¡£¡£¡£¡£¡£³ýVendor Specific±í £¬£¬ £¬£¬ £¬£¬ £¬£¬ÆäËûIE¾ùʹÓÃTLVÊý¾Ý½á¹¹°µÊ¾¡£¡£¡£¡£¡£¡£


8827Ì«Ñô¼¯ÍÅ(Macau)¹É·ÝÓÐÏÞ¹«Ë¾-Official website


ÆäÖÐ £¬£¬ £¬£¬ £¬£¬ £¬£¬Type×ֶ㤶ÈΪ1¸ö×Ö½Ú £¬£¬ £¬£¬ £¬£¬ £¬£¬³£¼ûµÄIEÀàÐÍÒÔ¼°È¡ÖµÈçÏ£º

8827Ì«Ñô¼¯ÍÅ(Macau)¹É·ÝÓÐÏÞ¹«Ë¾-Official website


CVE-2019-3846Ô¶³Ì¶ÑÒç¶Âí½Å


¸Ã·ì϶λÓÚdrivers/net/wireless/marvell/mwifiex/scan.cÖеÄmwifiex_update_bss_desc_with_ieº¯ÊýÖС£¡£¡£¡£¡£¡£²¹¶¡´úÂëÔö³¤¶ÔWLAN_EID_SSIDºÍWLAN_EID_SUPP_RATESµÄ³¤¶ÈУÑé¡£¡£¡£¡£¡£¡£


8827Ì«Ñô¼¯ÍÅ(Macau)¹É·ÝÓÐÏÞ¹«Ë¾-Official website


·ì϶´¥·¢µÄº¯ÊýŲÓÃÁ´£º


->mwifiex_cfg80211_connect [mwifiex]
->mwifiex_cfg80211_assoc [mwifiex]
->mwifiex_bss_start [mwifiex]
->mwifiex_fill_new_bss_desc [mwifiex]

->mwifiex_update_bss_desc_with_ie [mwifiex]


Äܹ»¿´³ö £¬£¬ £¬£¬ £¬£¬ £¬£¬·ì϶²úÉúÔÚAssociation½×¶Î £¬£¬ £¬£¬ £¬£¬ £¬£¬ÎÞÐè¾­¹ýËÄ´ÎÎÕÊÖÈÏÖ¤¡£¡£¡£¡£¡£¡£


8827Ì«Ñô¼¯ÍÅ(Macau)¹É·ÝÓÐÏÞ¹«Ë¾-Official website


¹¥»÷ÕßÎÞÐèÕæʵAPÃÜÂë £¬£¬ £¬£¬ £¬£¬ £¬£¬Ö»Ðèʹvictim STA¶Ï¿ªÔ­ÓÐÏÎ½Ó £¬£¬ £¬£¬ £¬£¬ £¬£¬³¢ÊÔÏνÓFakeAPʱ £¬£¬ £¬£¬ £¬£¬ £¬£¬¼´¿É´¥·¢¸Ã·ì϶¡£¡£¡£¡£¡£¡£

8827Ì«Ñô¼¯ÍÅ(Macau)¹É·ÝÓÐÏÞ¹«Ë¾-Official website


CVE-2019-10126±¾µØ¶ÑÒç¶Âí½Å


¸Ã·ì϶λÓÚdrivers/net/wireless/marvell/mwifiex/ie.cÖеÄmwifiex_uap_parse_tail_iesº¯Êý £¬£¬ £¬£¬ £¬£¬ £¬£¬¸Ãº¯ÊýÓÃÓÚ½âÎöÓû§²ã´«µÝµÄbeaconÊý¾Ý²¢½«Æä´«µÝ¸ø¹Ì¼þ¡£¡£¡£¡£¡£¡£ÔÚwhileÑ­»·µÄswitch default·ÖÖ§ÖÐ £¬£¬ £¬£¬ £¬£¬ £¬£¬µ±´¦ÖÃWLAN_EID_SSIDºÍWLAN_EID_SUPP_RATESµÈÖ®±íµÄÐÅÏ¢ÔªËØIE £¬£¬ £¬£¬ £¬£¬ £¬£¬Ôò»áŲÓÿ½±´º¯Êý¡£¡£¡£¡£¡£¡£²¹¶¡ÔÚ¿½±´º¯ÊýÇ°Ôö³¤Á˶ÔTLVµÄ³¤¶ÈУÑé´úÂë¡£¡£¡£¡£¡£¡£


8827Ì«Ñô¼¯ÍÅ(Macau)¹É·ÝÓÐÏÞ¹«Ë¾-Official website


Óû§Ì¬ÀûÓ÷¨Ê½£¨Èçwpa_suppliant,hostapd£©Í¨¹ýnetlink½Ó¿ÚÓëÄÚºËÄ£¿£¿£¿£¿£¿ £¿é½øÐÐͨѶ¡£¡£¡£¡£¡£¡£ÔÚ³õʼ»¯¹ý³ÌÖÐ×¢²áÐÂÎźÅÁîºÍ»Øµ÷º¯Êý¡£¡£¡£¡£¡£¡£


8827Ì«Ñô¼¯ÍÅ(Macau)¹É·ÝÓÐÏÞ¹«Ë¾-Official website


ÄÚºËÊÕµ½NL80211_CMD_START_APÐÂÎÅʱ £¬£¬ £¬£¬ £¬£¬ £¬£¬º¯ÊýŲÓÃÁ´£º


->nl80211_start_ap [cfg80211]
->rdev_start_ap [cfg80211]
->mwifiex_cfg80211_start_ap  [mwifiex]
->mwifiex_set_mgmt_ies [mwifiex]

->mwifiex_uap_parse_tail_ies [mwifiex]


ÈôÊÇ»ú¹ØÌØÊâµÄbeaconÊý¾ÝÔ̺¬¶à¸öÌØÊâÀàÐ͵ÄIE£¨ÀýÈçWLAN_EID_SUPPORTED_OPERATING_CLASSES£© £¬£¬ £¬£¬ £¬£¬ £¬£¬½«Ê¹µÃmwifiex_uap_parse_tail_iesÑ­»·Å²ÓÃmemcpy £¬£¬ £¬£¬ £¬£¬ £¬£¬µ¼Ö±¾µØÒç³ö¡£¡£¡£¡£¡£¡£


°²È«½¨Òé



Linux¸÷¿¯Ðаæ·ì϶²¼¸æ£º


https://security-tracker.debian.org/tracker/CVE-2019-3846
https://access.redhat.com/security/cve/cve-2019-3846

https://security-tracker.debian.org/tracker/CVE-2019-10126


²¹¶¡Á´½Ó£º


https://patchwork.kernel.org/patch/10967049/
https://patchwork.kernel.org/patch/10970141/