Re: [PATCH v2] wifi: mwifiex: Fix OOB and integer underflow in mwifiex_process_mgmt_packet

[pinkperfect]

Hi, this vulnerability has been reported to and discussed with chromeos teams,
the detail analysis, see comments in below code:
mwifiex_process_sta_rx_packet makes sure rx_pkt_offset + rx_pkt_length <= skb->len
In mwifiex_process_mgmt_packet:

        rx_pd = (struct rxpd *)skb->data;

        // skb->len -= rx_pkt_offset, skb->len == rx_pkt_length
        skb_pull(skb, le16_to_cpu(rx_pd->rx_pkt_offset));
        // skb->len == rx_pkt_length - 2, if set rx_pkt_length == 4, skb->len == 2
        skb_pull(skb, sizeof(pkt_len));

        pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);

        //skip..

        // now skb->len == 2, skb->data + 24 is oob from skb buffer
        // skb->data + 30 is oob from skb buffer
        // pkt_len == 4, so underflow
        memmove(skb->data + sizeof(struct ieee80211_hdr_3addr),
                skb->data + sizeof(struct ieee80211_hdr),
                pkt_len - sizeof(struct ieee80211_hdr));

On MT8173 chromebook, the arm64 memmove.S / memcpy.S code logical
cause memove(dst, src, -x) a possible exploitable oob write vulnerability
not only a unexploitable crash