From: Brian Norris <briannorris@chromium.org>
To: Tristan Madani <tristmd@gmail.com>
Cc: Johannes Berg <johannes@sipsolutions.net>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
Tristan Madani <tristan@talencesecurity.com>
Subject: Re: [PATCH v3 3/6] wifi: mwifiex: fix OOB read from firmware sta_count in station list response
Date: Wed, 22 Apr 2026 11:26:55 -0700 [thread overview]
Message-ID: <aekS72ESOUlnqGIo@google.com> (raw)
In-Reply-To: <20260421134938.331334-4-tristmd@gmail.com>
On Tue, Apr 21, 2026 at 01:49:35PM +0000, Tristan Madani wrote:
> From: Tristan Madani <tristan@talencesecurity.com>
>
> The firmware-controlled sta_count (u16) is used as an unbounded loop
> counter for iterating station info entries. An inflated count drives
> reads past the response buffer into kernel heap memory.
>
> Add a check that sta_count fits within the response size.
>
> Fixes: b21783e94e20 ("mwifiex: add sta_list firmware command")
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
> ---
> Changes in v3:
> - Regenerated from wireless-next with proper git format-patch to
> produce valid index hashes (v2 had post-processed index lines).
>
> Changes in v2:
> - No code changes from v1.
>
> drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
> index 85512f526c5f2..4cf654046c6ae 100644
> --- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
> +++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
> @@ -976,8 +976,16 @@ static int mwifiex_ret_uap_sta_list(struct mwifiex_private *priv,
> struct mwifiex_ie_types_sta_info *sta_info = (void *)&sta_list->tlv;
> int i;
> struct mwifiex_sta_node *sta_node;
> + u16 resp_size = le16_to_cpu(resp->size);
> + u16 count = le16_to_cpu(sta_list->sta_count);
> + u16 max_count;
>
> - for (i = 0; i < (le16_to_cpu(sta_list->sta_count)); i++) {
> + if (resp_size < sizeof(*resp) - sizeof(resp->params) + sizeof(*sta_list))
> + return -EINVAL;
> + max_count = (resp_size - sizeof(*resp) + sizeof(resp->params) -
> + sizeof(*sta_list)) / sizeof(*sta_info);
The repeated arithmetic is a bit weird, but I'm not sure if it'd
actually be better to stash it in its own variable. Seems good enough I
suppose.
Acked-by: Brian Norris <briannorris@chromium.org>
> + count = min(count, max_count);
> + for (i = 0; i < count; i++) {
> sta_node = mwifiex_get_sta_entry(priv, sta_info->mac);
> if (unlikely(!sta_node))
> continue;
> --
> 2.47.3
>
next prev parent reply other threads:[~2026-04-22 18:26 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-21 13:49 [PATCH v3 0/6] wifi: mwifiex: firmware trust boundary hardening Tristan Madani
2026-04-21 13:49 ` [PATCH v3 1/6] wifi: mwifiex: fix OOB write from firmware queue_index in WMM status response Tristan Madani
2026-04-21 23:19 ` Brian Norris
2026-04-21 13:49 ` [PATCH v3 2/6] wifi: mwifiex: fix OOB write from firmware TID in ADDBA response handler Tristan Madani
2026-04-21 23:30 ` Brian Norris
2026-04-21 13:49 ` [PATCH v3 3/6] wifi: mwifiex: fix OOB read from firmware sta_count in station list response Tristan Madani
2026-04-22 18:26 ` Brian Norris [this message]
2026-04-22 19:12 ` Johannes Berg
2026-04-22 19:54 ` Brian Norris
2026-04-22 19:57 ` Johannes Berg
2026-04-22 20:09 ` Johannes Berg
2026-04-22 19:06 ` Johannes Berg
2026-04-21 13:49 ` [PATCH v3 4/6] wifi: mwifiex: fix OOB read in scan response from mismatched TLV data sizes Tristan Madani
2026-04-22 18:28 ` Brian Norris
2026-04-21 13:49 ` [PATCH v3 5/6] wifi: mwifiex: fix OOB read from firmware intf_num in multichannel event Tristan Madani
2026-04-21 23:20 ` Brian Norris
2026-04-21 13:49 ` [PATCH v3 6/6] wifi: mwifiex: fix OOB read from inflated TLV length in IBSS peer event Tristan Madani
2026-04-21 23:20 ` Brian Norris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aekS72ESOUlnqGIo@google.com \
--to=briannorris@chromium.org \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=tristan@talencesecurity.com \
--cc=tristmd@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.