"The ozwpan driver accepts network packets, parses them, and converts them into various USB functionality. There are numerous security vulnerabilities in the handling of these packets. Two of them result in a memcpy(kernel_buffer, network_packet, -length), one of them is a divide-by-zero, and one of them is a loop that decrements -1 until it's zero." [1]
1. A remote packet can be sent, resulting in funny subtractions ofsigned integers, which causes a memcpy(kernel_heap, network_user_buffer, -network_user_provided_length).
There are two different conditions that can lead to this:
https://lkml.org/lkml/2015/5/13/740
https://lkml.org/lkml/2015/5/13/744
2. A remote packet can be sent, resulting in divide-by-zero in softirq, causing hard crash:
https://lkml.org/lkml/2015/5/13/741
3. A remote packet can be sent, resulting in a funny subtraction, causing an insanely big loop to lock up the kernel: https://lkml.org/lkml/2015/5/13/742
4. Multiple out-of-bounds reads, resulting in possible information leakage, explained in the last paragraph of the introductory email here: https://lkml.org/lkml/2015/5/13/739
The above is a repost of this: http://seclists.org/oss-sec/2015/q2/446
You may find more information about ozwpan here: https://lkml.org/lkml/2015/5/13/739
[1] https://lkml.org/lkml/2015/5/13/739