[PATCH] wifi: carl9170: bail out on invalid command response to fix stack-out-of-bounds write

Linux wireless drivers development
 help / color / mirror / Atom feed

* [PATCH] wifi: carl9170: bail out on invalid command response to fix stack-out-of-bounds write
@ 2026-06-24  5:32 hewei-gikaku
  0 siblings, 0 replies; only message in thread
From: hewei-gikaku @ 2026-06-24  5:32 UTC (permalink / raw)
  To: Christian Lamparter
  Cc: linux-wireless, linux-kernel, HE WEI, syzbot+5c1ca6ccaa1215781cac

From: HE WEI (ギカク) <skyexpoc@gmail.com>

carl9170_cmd_callback() copies a command response coming from the USB
device into ar->readbuf using the device-reported length:

	memcpy(ar->readbuf, buffer + 4, len - 4);

ar->readbuf points at the buffer supplied by the caller of
carl9170_exec_cmd(), which is frequently an on-stack buffer sized to the
expected response length (ar->readlen).

The preceding sanity check only emits a warning and schedules a restart
when ar->readlen != len - 4; it does not stop processing, so the
memcpy() still runs with the attacker-controlled length.  A malicious or
malfunctioning AR9170 USB device can therefore answer a pending command
with an over-sized response and overflow ar->readbuf, as reported by
syzbot:

  BUG: KASAN: stack-out-of-bounds Write in carl9170_handle_command_response

The comment in that branch already documents the intended behaviour
("Do not complete.  The command times out, and we get a stack trace from
there."), but the return statement was missing.  Return after
carl9170_restart() so an over-/under-sized response is neither copied
into ar->readbuf nor completed; carl9170_exec_cmd() then times out and
clears readbuf in its error path.

Reported-by: syzbot+5c1ca6ccaa1215781cac@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5c1ca6ccaa1215781cac
Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend")
Signed-off-by: HE WEI (ギカク) <skyexpoc@gmail.com>
---
 drivers/net/wireless/ath/carl9170/rx.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/ath/carl9170/rx.c b/drivers/net/wireless/ath/carl9170/rx.c
--- a/drivers/net/wireless/ath/carl9170/rx.c
+++ b/drivers/net/wireless/ath/carl9170/rx.c
@@ -145,6 +145,7 @@ static void carl9170_cmd_callback(struct ar9170 *ar, u32 len, void *buffer)
 		 * and we get a stack trace from there.
 		 */
 		carl9170_restart(ar, CARL9170_RR_INVALID_RSP);
+		return;
 	}

 	spin_lock(&ar->cmd_lock);
--
2.43.0

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-24  5:33 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-24  5:32 [PATCH] wifi: carl9170: bail out on invalid command response to fix stack-out-of-bounds write hewei-gikaku

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox