* [PATCH v2 0/3] wifi: ath6kl: fix OOB accesses from firmware-controlled fields
@ 2026-04-15 22:23 Tristan Madani
2026-04-15 22:23 ` [PATCH v2 1/3] wifi: ath6kl: fix OOB access from firmware ADDBA window size Tristan Madani
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Tristan Madani @ 2026-04-15 22:23 UTC (permalink / raw)
To: Johannes Berg; +Cc: linux-wireless, linux-kernel
From: Tristan Madani <tristan@talencesecurity.com>
Hi Johannes,
Note: this is a v2 resubmission. The original was sent via Gmail which
caused HTML rendering issues. This version uses git send-email for
proper plain-text formatting.
Three issues in ath6kl where firmware-controlled fields are used without
bounds checking:
Proposed fixes in the following patches.
Thanks,
Tristan
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2 1/3] wifi: ath6kl: fix OOB access from firmware ADDBA window size
2026-04-15 22:23 [PATCH v2 0/3] wifi: ath6kl: fix OOB accesses from firmware-controlled fields Tristan Madani
@ 2026-04-15 22:23 ` Tristan Madani
2026-04-15 22:23 ` [PATCH v2 2/3] wifi: ath6kl: fix OOB read from firmware IE lengths in connect event Tristan Madani
2026-04-15 22:23 ` [PATCH v2 3/3] wifi: ath6kl: fix OOB read from firmware num_msg in TX complete handler Tristan Madani
2 siblings, 0 replies; 4+ messages in thread
From: Tristan Madani @ 2026-04-15 22:23 UTC (permalink / raw)
To: Johannes Berg; +Cc: linux-wireless, linux-kernel
From: Tristan Madani <tristan@talencesecurity.com>
aggr_recv_addba_req_evt() logs a debug message when the firmware-supplied
win_sz is outside [AGGR_WIN_SZ_MIN, AGGR_WIN_SZ_MAX] but does not
return. The out-of-range win_sz is then used in TID_WINDOW_SZ() to
compute a kzalloc size and stored in rxtid->hold_q_sz, leading to
zero-size or overflowed allocations and subsequent OOB access.
Return early when win_sz is out of the valid range.
Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/net/wireless/ath/ath6kl/txrx.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath6kl/txrx.c b/drivers/net/wireless/ath/ath6kl/txrx.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/ath/ath6kl/txrx.c
+++ b/drivers/net/wireless/ath/ath6kl/txrx.c
@@ -1725,8 +1725,10 @@ void aggr_recv_addba_req_evt(struct ath6kl_vif *vif, u8 tid_mux, u16 seq_no,
- if (win_sz < AGGR_WIN_SZ_MIN || win_sz > AGGR_WIN_SZ_MAX)
+ if (win_sz < AGGR_WIN_SZ_MIN || win_sz > AGGR_WIN_SZ_MAX) {
ath6kl_dbg(ATH6KL_DBG_WLAN_RX, "%s: win_sz %d, tid %d\n",
__func__, win_sz, tid);
+ return;
+ }
if (rxtid->aggr)
aggr_delete_tid_state(aggr_conn, tid);
--
2.43.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2 2/3] wifi: ath6kl: fix OOB read from firmware IE lengths in connect event
2026-04-15 22:23 [PATCH v2 0/3] wifi: ath6kl: fix OOB accesses from firmware-controlled fields Tristan Madani
2026-04-15 22:23 ` [PATCH v2 1/3] wifi: ath6kl: fix OOB access from firmware ADDBA window size Tristan Madani
@ 2026-04-15 22:23 ` Tristan Madani
2026-04-15 22:23 ` [PATCH v2 3/3] wifi: ath6kl: fix OOB read from firmware num_msg in TX complete handler Tristan Madani
2 siblings, 0 replies; 4+ messages in thread
From: Tristan Madani @ 2026-04-15 22:23 UTC (permalink / raw)
To: Johannes Berg; +Cc: linux-wireless, linux-kernel
From: Tristan Madani <tristan@talencesecurity.com>
The firmware-controlled beacon_ie_len, assoc_req_len, and assoc_resp_len
fields in ath6kl_wmi_connect_event_rx() are not validated against the
buffer length. Their sum (up to 765) can exceed the actual WMI event
data, causing out-of-bounds reads during IE parsing and state corruption
of wmi->is_wmm_enabled.
Add a check that the total IE length fits within the buffer.
Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/net/wireless/ath/ath6kl/wmi.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/ath/ath6kl/wmi.c
+++ b/drivers/net/wireless/ath/ath6kl/wmi.c
@@ -860,6 +860,13 @@ static int ath6kl_wmi_connect_event_rx(struct wmi *wmi, u8 *datap, int len,
ev = (struct wmi_connect_event *) datap;
+ if (len < sizeof(*ev) + ev->beacon_ie_len +
+ ev->assoc_req_len + ev->assoc_resp_len) {
+ ath6kl_dbg(ATH6KL_DBG_WMI,
+ "connect event: IE lengths %u+%u+%u exceed buffer %d\n",
+ ev->beacon_ie_len, ev->assoc_req_len,
+ ev->assoc_resp_len, len);
+ return -EINVAL;
+ }
if (vif->nw_type == AP_NETWORK) {
/* AP mode start/STA connected event */
struct net_device *dev = vif->ndev;
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2 3/3] wifi: ath6kl: fix OOB read from firmware num_msg in TX complete handler
2026-04-15 22:23 [PATCH v2 0/3] wifi: ath6kl: fix OOB accesses from firmware-controlled fields Tristan Madani
2026-04-15 22:23 ` [PATCH v2 1/3] wifi: ath6kl: fix OOB access from firmware ADDBA window size Tristan Madani
2026-04-15 22:23 ` [PATCH v2 2/3] wifi: ath6kl: fix OOB read from firmware IE lengths in connect event Tristan Madani
@ 2026-04-15 22:23 ` Tristan Madani
2 siblings, 0 replies; 4+ messages in thread
From: Tristan Madani @ 2026-04-15 22:23 UTC (permalink / raw)
To: Johannes Berg; +Cc: linux-wireless, linux-kernel
From: Tristan Madani <tristan@talencesecurity.com>
The firmware-controlled num_msg field (u8, 0-255) drives the loop in
ath6kl_wmi_tx_complete_event_rx() without validation against the buffer
length. This allows out-of-bounds reads of up to 1020 bytes past the
WMI event buffer when the firmware sends an inflated num_msg.
Add a check that the buffer is large enough to hold num_msg entries.
Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/net/wireless/ath/ath6kl/wmi.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/ath/ath6kl/wmi.c
+++ b/drivers/net/wireless/ath/ath6kl/wmi.c
@@ -485,6 +485,12 @@ static int ath6kl_wmi_tx_complete_event_rx(u8 *datap, int len)
evt = (struct wmi_tx_complete_event *) datap;
+ if (len < sizeof(*evt) ||
+ len < sizeof(*evt) + evt->num_msg * sizeof(struct tx_complete_msg_v1)) {
+ ath6kl_dbg(ATH6KL_DBG_WMI, "tx complete: invalid len %d for %u msgs\n",
+ len, evt->num_msg);
+ return -EINVAL;
+ }
ath6kl_dbg(ATH6KL_DBG_WMI, "comp: %d %d %d\n",
evt->num_msg, evt->msg_len, evt->msg_type);
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-15 22:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-15 22:23 [PATCH v2 0/3] wifi: ath6kl: fix OOB accesses from firmware-controlled fields Tristan Madani
2026-04-15 22:23 ` [PATCH v2 1/3] wifi: ath6kl: fix OOB access from firmware ADDBA window size Tristan Madani
2026-04-15 22:23 ` [PATCH v2 2/3] wifi: ath6kl: fix OOB read from firmware IE lengths in connect event Tristan Madani
2026-04-15 22:23 ` [PATCH v2 3/3] wifi: ath6kl: fix OOB read from firmware num_msg in TX complete handler Tristan Madani
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox