* [PATCH v3] wifi: rtw88: fix OOB read from firmware RX descriptor exceeding DMA buffer
@ 2026-04-21 10:35 Tristan Madani
2026-04-21 10:59 ` Johannes Berg
0 siblings, 1 reply; 5+ messages in thread
From: Tristan Madani @ 2026-04-21 10:35 UTC (permalink / raw)
To: Ping-Ke Shih; +Cc: Bitterblue Smith, Johannes Berg, linux-wireless
On Mon, 21 Apr 2026, Ping-Ke Shih wrote:
> Since this is data (hot) path, I'd prefer unlikely(new_len > RTK_PCI_RX_BUF_SIZE).
Good point. v3 below adds unlikely().
Thanks Bitterblue for clarifying -- glad the patches are complementary.
---
From: Tristan Madani <tristan@talencesecurity.com>
Subject: [PATCH v3] wifi: rtw88: fix OOB read from firmware RX descriptor exceeding DMA buffer
In rtw_pci_rx_napi(), new_len is computed as the sum of pkt_len (14-bit
descriptor field, max 16383) and pkt_offset (drv_info_sz + shift, both
firmware-controlled). The result can exceed RTK_PCI_RX_BUF_SIZE (11478),
causing an out-of-bounds read from the pre-allocated DMA buffer when
skb_put_data copies new_len bytes. The USB transport already validates
this (rtw_usb_rx_data_put checks against RTW_USB_MAX_RECVBUF_SZ); the
PCIe path does not.
Add a check that new_len does not exceed the DMA buffer size.
Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
- Wrap check in unlikely() since this is the RX hot path, per
Ping-Ke Shih.
Changes in v2:
- Clarify field widths and maximum new_len derivation in commit
message, per Ping-Ke Shih.
drivers/net/wireless/realtek/rtw88/pci.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtw88/pci.c b/drivers/net/wireless/realtek/rtw88/pci.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/realtek/rtw88/pci.c
+++ b/drivers/net/wireless/realtek/rtw88/pci.c
@@ -1078,6 +1078,11 @@ static int rtw_pci_rx_napi(struct rtw_dev *rtwdev, struct rtw_pci *rtwpci,
new_len = pkt_stat.pkt_len + pkt_offset;
+ if (unlikely(new_len > RTK_PCI_RX_BUF_SIZE)) {
+ rtw_dbg(rtwdev, RTW_DBG_RX,
+ "oversized RX packet: %u\n", new_len);
+ goto next_rp;
+ }
new = dev_alloc_skb(new_len);
if (WARN_ONCE(!new, "rx routine starvation\n"))
goto next_rp;
--
2.43.0
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH v3] wifi: rtw88: fix OOB read from firmware RX descriptor exceeding DMA buffer
2026-04-21 10:35 [PATCH v3] wifi: rtw88: fix OOB read from firmware RX descriptor exceeding DMA buffer Tristan Madani
@ 2026-04-21 10:59 ` Johannes Berg
0 siblings, 0 replies; 5+ messages in thread
From: Johannes Berg @ 2026-04-21 10:59 UTC (permalink / raw)
To: Tristan Madani, Ping-Ke Shih; +Cc: Bitterblue Smith, linux-wireless
On Tue, 2026-04-21 at 10:35 +0000, Tristan Madani wrote:
> On Mon, 21 Apr 2026, Ping-Ke Shih wrote:
> > Since this is data (hot) path, I'd prefer unlikely(new_len > RTK_PCI_RX_BUF_SIZE).
>
> Good point. v3 below adds unlikely().
>
> Thanks Bitterblue for clarifying -- glad the patches are complementary.
>
> ---
>
> From: Tristan Madani <tristan@talencesecurity.com>
> Subject: [PATCH v3] wifi: rtw88: fix OOB read from firmware RX descriptor exceeding DMA buffer
>
This format doesn't work, you can't have a "preamble" section before a
"---" separator, only a "footer" section _after_ a "---" separator
(which doesn't go into the git history log.)
johannes
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v3] wifi: rtw88: fix OOB read from firmware RX descriptor exceeding DMA buffer
@ 2026-04-21 11:00 Tristan Madani
0 siblings, 0 replies; 5+ messages in thread
From: Tristan Madani @ 2026-04-21 11:00 UTC (permalink / raw)
To: Ping-Ke Shih
Cc: Bitterblue Smith, Johannes Berg, linux-wireless, Tristan Madani
From: Tristan Madani <tristan@talencesecurity.com>
In rtw_pci_rx_napi(), new_len is computed as the sum of pkt_len (14-bit
descriptor field, max 16383) and pkt_offset (drv_info_sz + shift, both
firmware-controlled). The result can exceed RTK_PCI_RX_BUF_SIZE (11478),
causing an out-of-bounds read from the pre-allocated DMA buffer when
skb_put_data copies new_len bytes. The USB transport already validates
this (rtw_usb_rx_data_put checks against RTW_USB_MAX_RECVBUF_SZ); the
PCIe path does not.
Add a check that new_len does not exceed the DMA buffer size.
Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
- Wrap check in unlikely() since this is the RX hot path, per
Ping-Ke Shih.
Changes in v2:
- Clarify field widths and maximum new_len derivation in commit
message, per Ping-Ke Shih.
drivers/net/wireless/realtek/rtw88/pci.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtw88/pci.c b/drivers/net/wireless/realtek/rtw88/pci.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/realtek/rtw88/pci.c
+++ b/drivers/net/wireless/realtek/rtw88/pci.c
@@ -1078,6 +1078,11 @@ static int rtw_pci_rx_napi(struct rtw_dev *rtwdev, struct rtw_pci *rtwpci,
new_len = pkt_stat.pkt_len + pkt_offset;
+ if (unlikely(new_len > RTK_PCI_RX_BUF_SIZE)) {
+ rtw_dbg(rtwdev, RTW_DBG_RX,
+ "oversized RX packet: %u\n", new_len);
+ goto next_rp;
+ }
new = dev_alloc_skb(new_len);
if (WARN_ONCE(!new, "rx routine starvation\n"))
goto next_rp;
--
2.47.3
^ permalink raw reply [flat|nested] 5+ messages in thread* [PATCH v3] wifi: rtw88: fix OOB read from firmware RX descriptor exceeding DMA buffer
@ 2026-04-21 11:14 Tristan Madani
2026-04-29 5:33 ` Ping-Ke Shih
0 siblings, 1 reply; 5+ messages in thread
From: Tristan Madani @ 2026-04-21 11:14 UTC (permalink / raw)
To: Ping-Ke Shih
Cc: Bitterblue Smith, Johannes Berg, linux-wireless, Tristan Madani
From: Tristan Madani <tristan@talencesecurity.com>
In rtw_pci_rx_napi(), new_len is computed as the sum of pkt_len (14-bit
descriptor field, max 16383) and pkt_offset (drv_info_sz + shift, both
firmware-controlled). The result can exceed RTK_PCI_RX_BUF_SIZE (11478),
causing an out-of-bounds read from the pre-allocated DMA buffer when
skb_put_data copies new_len bytes. The USB transport already validates
this (rtw_usb_rx_data_put checks against RTW_USB_MAX_RECVBUF_SZ); the
PCIe path does not.
Add a check that new_len does not exceed the DMA buffer size.
Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
- Wrap check in unlikely() since this is the RX hot path, per
Ping-Ke Shih.
Changes in v2:
- Clarify field widths and maximum new_len derivation in commit
message, per Ping-Ke Shih.
drivers/net/wireless/realtek/rtw88/pci.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtw88/pci.c b/drivers/net/wireless/realtek/rtw88/pci.c
index bba370ad510cf..465598d5dc467 100644
--- a/drivers/net/wireless/realtek/rtw88/pci.c
+++ b/drivers/net/wireless/realtek/rtw88/pci.c
@@ -1077,6 +1077,11 @@ static u32 rtw_pci_rx_napi(struct rtw_dev *rtwdev, struct rtw_pci *rtwpci,
* discard the frame if none available
*/
new_len = pkt_stat.pkt_len + pkt_offset;
+ if (unlikely(new_len > RTK_PCI_RX_BUF_SIZE)) {
+ rtw_dbg(rtwdev, RTW_DBG_RX,
+ "oversized RX packet: %u\n", new_len);
+ goto next_rp;
+ }
new = dev_alloc_skb(new_len);
if (WARN_ONCE(!new, "rx routine starvation\n"))
goto next_rp;
--
2.47.3
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH v3] wifi: rtw88: fix OOB read from firmware RX descriptor exceeding DMA buffer
2026-04-21 11:14 Tristan Madani
@ 2026-04-29 5:33 ` Ping-Ke Shih
0 siblings, 0 replies; 5+ messages in thread
From: Ping-Ke Shih @ 2026-04-29 5:33 UTC (permalink / raw)
To: Tristan Madani, Ping-Ke Shih
Cc: Bitterblue Smith, Johannes Berg, linux-wireless, Tristan Madani
Tristan Madani <tristmd@gmail.com> wrote:
> From: Tristan Madani <tristan@talencesecurity.com>
>
> In rtw_pci_rx_napi(), new_len is computed as the sum of pkt_len (14-bit
> descriptor field, max 16383) and pkt_offset (drv_info_sz + shift, both
> firmware-controlled). The result can exceed RTK_PCI_RX_BUF_SIZE (11478),
> causing an out-of-bounds read from the pre-allocated DMA buffer when
> skb_put_data copies new_len bytes. The USB transport already validates
> this (rtw_usb_rx_data_put checks against RTW_USB_MAX_RECVBUF_SZ); the
> PCIe path does not.
>
> Add a check that new_len does not exceed the DMA buffer size.
>
> Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver")
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
1 patch(es) applied to rtw-next branch of rtw.git, thanks.
6e76e9ed273d wifi: rtw88: fix OOB read from firmware RX descriptor exceeding DMA buffer
---
https://github.com/pkshih/rtw.git
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-29 5:33 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-21 10:35 [PATCH v3] wifi: rtw88: fix OOB read from firmware RX descriptor exceeding DMA buffer Tristan Madani
2026-04-21 10:59 ` Johannes Berg
-- strict thread matches above, loose matches on Subject: below --
2026-04-21 11:00 Tristan Madani
2026-04-21 11:14 Tristan Madani
2026-04-29 5:33 ` Ping-Ke Shih
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox