[PATCH v3 0/2] wifi: libertas: firmware trust boundary hardening

[PATCH v3 0/2] wifi: libertas: firmware trust boundary hardening

[Tristan Madani]

From: Tristan Madani <tristan@talencesecurity.com>

This series adds missing bounds checks for firmware-controlled fields
in the Marvell libertas driver.

Patch 1 validates pkt_ptr offset in the RX path. Patch 2 checks
bssdescriptsize in scan responses.

Changes in v3:
  - Regenerated from wireless-next with proper git format-patch.

Changes in v2:
  - No code changes from v1.

Tristan Madani (2):
  wifi: libertas: fix OOB read from firmware pkt_ptr offset in RX path
  wifi: libertas: fix OOB read from firmware bssdescriptsize in scan
    response

 drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++
 drivers/net/wireless/marvell/libertas/rx.c  | 9 +++++++++
 2 files changed, 17 insertions(+)

-- 
2.47.3

[PATCH v3 1/2] wifi: libertas: fix OOB read from firmware pkt_ptr offset in RX path

[Tristan Madani]

From: Tristan Madani <tristan@talencesecurity.com>

lbs_process_rxed_packet() uses the firmware-supplied pkt_ptr as an
offset into the skb data without validating that it falls within the
skb buffer bounds. A malicious pkt_ptr value causes out-of-bounds
memory access when the function subsequently reads ethernet header
fields from p_rx_pkt.

Add a bounds check to ensure pkt_ptr plus the minimum packet header
size does not exceed skb->len.

Fixes: e45d8e534b67 ("libertas: add support for Marvell SD8688 chip")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
  - Regenerated from wireless-next with proper git format-patch to
    produce valid index hashes (v2 had post-processed index lines).

Changes in v2:
  - No code changes from v1.

 drivers/net/wireless/marvell/libertas/rx.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/net/wireless/marvell/libertas/rx.c b/drivers/net/wireless/marvell/libertas/rx.c
index c34d30f7cbe03..3497595a67595 100644
--- a/drivers/net/wireless/marvell/libertas/rx.c
+++ b/drivers/net/wireless/marvell/libertas/rx.c
@@ -73,6 +73,15 @@ int lbs_process_rxed_packet(struct lbs_private *priv, struct sk_buff *skb)
 	}
 
 	p_rx_pd = (struct rxpd *) skb->data;
+
+	if (le32_to_cpu(p_rx_pd->pkt_ptr) + sizeof(struct rxpackethdr) >
+	    skb->len) {
+		lbs_deb_rx("rx err: pkt_ptr %u beyond skb len %u\n",
+			   le32_to_cpu(p_rx_pd->pkt_ptr), skb->len);
+		ret = -EINVAL;
+		dev_kfree_skb(skb);
+		goto done;
+	}
 	p_rx_pkt = (struct rxpackethdr *) ((u8 *)p_rx_pd +
 		le32_to_cpu(p_rx_pd->pkt_ptr));
 
-- 
2.47.3

Re: [PATCH v3 1/2] wifi: libertas: fix OOB read from firmware pkt_ptr offset in RX path

[Johannes Berg]

On Tue, 2026-04-21 at 13:50 +0000, Tristan Madani wrote:
> From: Tristan Madani <tristan@talencesecurity.com>
> 
> lbs_process_rxed_packet() uses the firmware-supplied pkt_ptr as an
> offset into the skb data without validating that it falls within the
> skb buffer bounds. A malicious pkt_ptr value causes out-of-bounds
> memory access when the function subsequently reads ethernet header
> fields from p_rx_pkt.
> 
> Add a bounds check to ensure pkt_ptr plus the minimum packet header
> size does not exceed skb->len.

Please generally put a bit more thought into your patches.

> Fixes: e45d8e534b67 ("libertas: add support for Marvell SD8688 chip")
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>

I'll also note again that I don't find any tool/LLM disclosure
improbably, nobody really cares about these rivers any more?

>  	p_rx_pd = (struct rxpd *) skb->data;
> +
> +	if (le32_to_cpu(p_rx_pd->pkt_ptr) + sizeof(struct rxpackethdr) >
> +	    skb->len) {
> 

At this point you don't even know yet that the skb is long enough to
access p_r x_pd->pkt_ptr *itself*, so this can't be right.

There's a length check later that checks for

        if (skb->len < (ETH_HLEN + 8 + sizeof(struct rxpd))) {

which probably needs to be moved up _and_ improved, but you're not
actually checking things correctly.

How is it that whatever tool you're using to find these isn't
complaining about the fix??

johannes

[PATCH v3 2/2] wifi: libertas: fix OOB read from firmware bssdescriptsize in scan response

[Tristan Madani]

From: Tristan Madani <tristan@talencesecurity.com>

The firmware-controlled bssdescriptsize field in lbs_ret_scan() is used
to compute the TSF descriptor position without validation against the
response buffer size. An inflated value causes out-of-bounds reads from
the 2312-byte response buffer into adjacent struct lbs_private members.

Add a check that bssdescriptsize fits within the response data.

Fixes: ff9fc791940f ("libertas: first stab at cfg80211 support")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
  - Regenerated from wireless-next with proper git format-patch to
    produce valid index hashes (v2 had post-processed index lines).

Changes in v2:
  - No code changes from v1.

 drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
index 72c92f72469de..41dee6e0ca9fa 100644
--- a/drivers/net/wireless/marvell/libertas/cfg.c
+++ b/drivers/net/wireless/marvell/libertas/cfg.c
@@ -554,6 +554,14 @@ static int lbs_ret_scan(struct lbs_private *priv, unsigned long dummy,
 
 	bsssize = get_unaligned_le16(&scanresp->bssdescriptsize);
 
+	if (bsssize > le16_to_cpu(resp->size) -
+	    sizeof(struct cmd_ds_802_11_scan_rsp)) {
+		lbs_deb_scan(
+			"scan response: bssdescriptsize %d exceeds response\n",
+			bsssize);
+		goto done;
+	}
+
 	lbs_deb_scan("scan response: %d BSSs (%d bytes); resp size %d bytes\n",
 			scanresp->nr_sets, bsssize, le16_to_cpu(resp->size));
 
-- 
2.47.3