[PATCH v2 0/2] wifi: wilc1000: fix integer underflow and OOB read from firmware packets

[PATCH v2 0/2] wifi: wilc1000: fix integer underflow and OOB read from firmware packets

[Tristan Madani]

From: Tristan Madani <tristan@talencesecurity.com>

Hi Ajay, Claudiu,

Note: this is a v2 resubmission. The original was sent via Gmail which
caused HTML rendering issues. This version uses git send-email for
proper plain-text formatting.

Two issues in wilc1000 where firmware-controlled packet fields are used
without validation:

Proposed fixes in the following patches.

Thanks,
Tristan

[PATCH v2 1/2] wifi: wilc1000: fix integer underflow in wilc_network_info_received()

[Tristan Madani]

From: Tristan Madani <tristan@talencesecurity.com>

The firmware-controlled frame length at buffer[6..7] is decremented by 1
and used as the kmemdup size without validating the value. When the
firmware sends 0, the u16 subtraction wraps to 65535, causing a 64KB
out-of-bounds read from the RX buffer. For non-zero but inflated values,
the read exceeds the actual packet data.

Add validation that the frame length is at least 1 and fits within the
available buffer.

Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/net/wireless/microchip/wilc1000/hif.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/microchip/wilc1000/hif.c
+++ b/drivers/net/wireless/microchip/wilc1000/hif.c
@@ -1572,6 +1572,7 @@ void wilc_network_info_received(struct wilc *wilc, u8 *buffer, u32 length)
 	struct wilc_vif *vif;
 	int srcu_idx;
 	int result;
+	u16 frame_len;
 	int id;

 	id = get_unaligned_le32(&buffer[length - 4]);
@@ -1595,7 +1596,14 @@ void wilc_network_info_received(struct wilc *wilc, u8 *buffer, u32 length)
 	if (IS_ERR(msg))
 		goto out;

-	msg->body.net_info.frame_len = get_unaligned_le16(&buffer[6]) - 1;
+	frame_len = get_unaligned_le16(&buffer[6]);
+	if (frame_len == 0 || frame_len > length - 9) {
+		netdev_err(vif->ndev,
+			   "%s: invalid frame_len %u (buffer %u)\n",
+			   __func__, frame_len, length);
+		kfree(msg);
+		goto out;
+	}
+	msg->body.net_info.frame_len = frame_len - 1;
 	msg->body.net_info.rssi = buffer[8];
 	msg->body.net_info.mgmt = kmemdup(&buffer[9],
 					  msg->body.net_info.frame_len,

[PATCH v2 2/2] wifi: wilc1000: fix OOB read from firmware RX packet header fields

[Tristan Madani]

From: Tristan Madani <tristan@talencesecurity.com>

The firmware-controlled pkt_len, tp_len, and pkt_offset fields from RX
frame headers are used without validation against the buffer size. This
allows a malicious or malfunctioning firmware to cause out-of-bounds
reads from the RX buffer via wilc_frmw_to_host() and
wilc_wfi_mgmt_rx() memcpy operations.

Add bounds checks to ensure tp_len does not exceed remaining buffer
space, and pkt_len + pkt_offset fits within tp_len.

Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/net/wireless/microchip/wilc1000/wlan.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/microchip/wilc1000/wlan.c b/drivers/net/wireless/microchip/wilc1000/wlan.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/microchip/wilc1000/wlan.c
+++ b/drivers/net/wireless/microchip/wilc1000/wlan.c
@@ -1122,6 +1122,12 @@ static void wilc_wlan_handle_rx_buff(struct wilc *wilc, u8 *buffer, int size)
 		if (pkt_len == 0 || tp_len == 0)
 			break;

+		if (tp_len > size - offset || pkt_len > tp_len) {
+			dev_err(wilc->dev, "invalid RX header: tp=%u pkt=%u remain=%d\n",
+				tp_len, pkt_len, size - offset);
+			break;
+		}
 		if (pkt_offset & IS_MANAGMEMENT) {
 			buff_ptr += HOST_HDR_OFFSET;
 			wilc_wfi_mgmt_rx(wilc, buff_ptr, pkt_len,