* [PATCH] wifi: ar5523: fix integer underflow in ar5523_data_rx_cb()
@ 2025-11-03 19:55 pip-izony
2026-07-16 22:15 ` Jeff Johnson
0 siblings, 1 reply; 3+ messages in thread
From: pip-izony @ 2025-11-03 19:55 UTC (permalink / raw)
To: Ingo Molnar, Thomas Gleixner, Johannes Berg, Roopni Devanathan
Cc: Seungjin Bae, Kyungtae Kim, Pontus Fuchs, John W . Linville,
linux-wireless, linux-kernel
From: Seungjin Bae <eeodqql09@gmail.com>
In ar5523_data_rx_cb(), the `rxlen` variable is derived from desc->len,
which is provided by the USB device.
The function checks for an upper bound (rxlen > ar->rxbufsz) and for a
zero value (!rxlen), but it fails to check for a proper lower bound
against the size of the descriptor.
If a malicious device provides an `rxlen` value that is positive
but smaller than sizeof(struct ar5523_rx_desc), the subtraction in
the call to skb_put() will result in an integer underflow.
This passes a very large unsigned value to skb_put(), which then
triggers a kernel panic upon detecting the potential buffer overflow.
Fix this by adding a check to ensure `rxlen` is at least
sizeof(struct ar5523_rx_desc) before performing the substraction.
Fixes: b7d572e1871df ("ar5523: Add new driver")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
drivers/net/wireless/ath/ar5523/ar5523.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
index 1230e6278f23..dfaccf241560 100644
--- a/drivers/net/wireless/ath/ar5523/ar5523.c
+++ b/drivers/net/wireless/ath/ar5523/ar5523.c
@@ -589,6 +589,12 @@ static void ar5523_data_rx_cb(struct urb *urb)
goto skip;
}
+ if (rxlen < sizeof(struct ar5523_rx_desc)) {
+ ar5523_dbg(ar, "RX: Bad descriptor (len=%d is too small)\n",
+ rxlen);
+ goto skip;
+ }
+
skb_reserve(data->skb, sizeof(*chunk));
skb_put(data->skb, rxlen - sizeof(struct ar5523_rx_desc));
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] wifi: ar5523: fix integer underflow in ar5523_data_rx_cb() 2025-11-03 19:55 [PATCH] wifi: ar5523: fix integer underflow in ar5523_data_rx_cb() pip-izony @ 2026-07-16 22:15 ` Jeff Johnson 2026-07-17 11:02 ` [PATCH v2] wifi: ar5523: validate rxlen against descriptor size and usblen " pip-izony 0 siblings, 1 reply; 3+ messages in thread From: Jeff Johnson @ 2026-07-16 22:15 UTC (permalink / raw) To: pip-izony, Ingo Molnar, Thomas Gleixner, Johannes Berg, Roopni Devanathan Cc: Kyungtae Kim, Pontus Fuchs, John W . Linville, linux-wireless, linux-kernel On 11/3/2025 11:55 AM, pip-izony wrote: > From: Seungjin Bae <eeodqql09@gmail.com> > > In ar5523_data_rx_cb(), the `rxlen` variable is derived from desc->len, > which is provided by the USB device. > > The function checks for an upper bound (rxlen > ar->rxbufsz) and for a > zero value (!rxlen), but it fails to check for a proper lower bound > against the size of the descriptor. > > If a malicious device provides an `rxlen` value that is positive > but smaller than sizeof(struct ar5523_rx_desc), the subtraction in > the call to skb_put() will result in an integer underflow. > > This passes a very large unsigned value to skb_put(), which then > triggers a kernel panic upon detecting the potential buffer overflow. > > Fix this by adding a check to ensure `rxlen` is at least > sizeof(struct ar5523_rx_desc) before performing the substraction. > > Fixes: b7d572e1871df ("ar5523: Add new driver") > Signed-off-by: Seungjin Bae <eeodqql09@gmail.com> > --- > drivers/net/wireless/ath/ar5523/ar5523.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c > index 1230e6278f23..dfaccf241560 100644 > --- a/drivers/net/wireless/ath/ar5523/ar5523.c > +++ b/drivers/net/wireless/ath/ar5523/ar5523.c > @@ -589,6 +589,12 @@ static void ar5523_data_rx_cb(struct urb *urb) > goto skip; > } > > + if (rxlen < sizeof(struct ar5523_rx_desc)) { > + ar5523_dbg(ar, "RX: Bad descriptor (len=%d is too small)\n", > + rxlen); > + goto skip; > + } > + > skb_reserve(data->skb, sizeof(*chunk)); > skb_put(data->skb, rxlen - sizeof(struct ar5523_rx_desc)); > Since this is an orphaned driver, this patch has been sitting in my patchwork queue for a very long time. Today I decided to take a look. The patch does address the issue mentioned, but really doesn't completely address the crux of the issue. I believe there should be a fixed correlation between the rxlen and the usblen. I posed the following question to my review agent: given that the usblen should account for the ar5523_chunk header, the payload, and the ar5523_rx_desc, shouldn't the rxlen always be the same as the usblen - sizeof(ar5523_chunk)? And my agent agreed: Yes, that's exactly right. Looking at the struct comment "msg length including header" for desc->len and the frame layout: [ar5523_chunk (4B)] [802.11 payload] [ar5523_rx_desc] ←──────────────────── usblen ──────────────────────→ The invariant should be: rxlen == usblen - sizeof(ar5523_chunk) Because rxlen covers [802.11 payload] + [ar5523_rx_desc], and usblen covers everything including the chunk header. The code never cross-validates them. It independently bounds-checks usblen (via AR5523_MIN_RXBUFSZ) and rxlen (upper bound vs rxbufsz, lower bound added by the patch), but if a malicious device provides rxlen > usblen - sizeof(ar5523_chunk), then: skb_put(data->skb, rxlen - sizeof(struct ar5523_rx_desc)); ...would expose bytes beyond the actual 802.11 payload — potentially biting into the ar5523_rx_desc trailer bytes, or uninitialized skb tail space up to rxbufsz, and pass that garbage to ieee80211_rx_irqsafe(). The existing upper bound check rxlen > ar->rxbufsz prevents a skb_put overflow (since the skb is allocated with rxbufsz), but it's far too loose. The right check would be: if (rxlen != usblen - sizeof(struct ar5523_chunk)) goto skip; Or at minimum a strict upper bound: if (rxlen > usblen - sizeof(struct ar5523_chunk)) goto skip; So the patch fixes the underflow but misses this inconsistency between rxlen and usblen that could allow overreading valid-but-wrong data within the skb buffer. So please consider this analysis and propose a v2 /jeff ^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH v2] wifi: ar5523: validate rxlen against descriptor size and usblen in ar5523_data_rx_cb() 2026-07-16 22:15 ` Jeff Johnson @ 2026-07-17 11:02 ` pip-izony 0 siblings, 0 replies; 3+ messages in thread From: pip-izony @ 2026-07-17 11:02 UTC (permalink / raw) To: Jeff Johnson, Kees Cook Cc: Seungjin Bae, Kyungtae Kim, Pontus Fuchs, John W . Linville, linux-wireless, linux-kernel From: Seungjin Bae <eeodqql09@gmail.com> In ar5523_data_rx_cb(), the `rxlen` variable is derived from desc->len, which is provided by the USB device. The function checks for an upper bound (rxlen > ar->rxbufsz) and for a zero value (!rxlen), but it fails to check for a proper lower bound against the size of the descriptor. If a malicious device provides an `rxlen` value that is positive but smaller than sizeof(struct ar5523_rx_desc), the subtraction in the call to skb_put() will result in an integer underflow. This passes a very large unsigned value to skb_put(), which then triggers a kernel panic upon detecting the potential buffer overflow. Fix this by adding a check to ensure `rxlen` is at least sizeof(struct ar5523_rx_desc) before performing the subtraction. Additionally, `rxlen` is not cross-checked against usblen (the number of bytes actually received). Since the frame layout is [ar5523_chunk][802.11 payload][ar5523_rx_desc] and `usblen` covers the whole buffer, a valid rxlen cannot exceed `usblen - sizeof(chunk)`. A device reporting a larger `rxlen` would cause skb_put() to expose descriptor trailer bytes or uninitialized skb tail data as 802.11 payload to ieee80211_rx_irqsafe(). Add a check to reject such frames. Fixes: b7d572e1871df ("ar5523: Add new driver") Suggested-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com> --- v1 -> v2: cross-check rxlen against usblen to prevent overreading past the received payload drivers/net/wireless/ath/ar5523/ar5523.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c index 66ac396858a5..3ee4b020f416 100644 --- a/drivers/net/wireless/ath/ar5523/ar5523.c +++ b/drivers/net/wireless/ath/ar5523/ar5523.c @@ -589,6 +589,18 @@ static void ar5523_data_rx_cb(struct urb *urb) goto skip; } + if (rxlen < sizeof(struct ar5523_rx_desc)) { + ar5523_dbg(ar, "RX: Bad descriptor (len=%u is too small)\n", + rxlen); + goto skip; + } + + if (rxlen > usblen - sizeof(struct ar5523_chunk)) { + ar5523_dbg(ar, "RX: rxlen too large (rxlen=%u usblen=%d)\n", + rxlen, usblen); + goto skip; + } + skb_reserve(data->skb, sizeof(*chunk)); skb_put(data->skb, rxlen - sizeof(struct ar5523_rx_desc)); -- 2.43.0 ^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-17 11:03 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-11-03 19:55 [PATCH] wifi: ar5523: fix integer underflow in ar5523_data_rx_cb() pip-izony 2026-07-16 22:15 ` Jeff Johnson 2026-07-17 11:02 ` [PATCH v2] wifi: ar5523: validate rxlen against descriptor size and usblen " pip-izony
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox