* [PATCH v2] wifi: mwifiex: bound uAP association event IEs to the event buffer
@ 2026-07-15 13:57 HE WEI (ギカク)
2026-07-15 16:28 ` Francesco Dolcini
0 siblings, 1 reply; 3+ messages in thread
From: HE WEI (ギカク) @ 2026-07-15 13:57 UTC (permalink / raw)
To: Brian Norris
Cc: Francesco Dolcini, Miri Korenblit, Johannes Berg, Kees Cook,
Kalle Valo, linux-wireless, linux-kernel,
HE WEI (ギカク)
mwifiex_process_uap_event() handles EVENT_UAP_STA_ASSOC by exposing the
(re)association request IEs that the firmware copies into the event:
sinfo->assoc_req_ies = &event->data[len];
len = (u8 *)sinfo->assoc_req_ies - (u8 *)&event->frame_control;
sinfo->assoc_req_ies_len = le16_to_cpu(event->len) - (u16)len;
event->len is supplied by the device firmware and is never validated,
and the subtraction is unchecked. assoc_req_ies points into
adapter->event_body[MAX_EVENT_SIZE], a fixed-size array embedded in the
kmalloc()'d struct mwifiex_adapter.
On the ap_11n_enabled path mwifiex_set_sta_ht_cap() walks these IEs with
cfg80211_find_ie(), whose for_each_element() loop dereferences each
element header. A firmware-reported event->len larger than the bytes
actually received makes assoc_req_ies_len describe IEs that extend past
event_body, so the walk reads out of the adapter slab object, a
slab-out-of-bounds read (KASAN: slab-out-of-bounds in cfg80211_find_ie).
An event->len smaller than the header instead makes the int subtraction
negative, which wraps to a huge size_t when stored in assoc_req_ies_len.
The same length is handed to cfg80211_new_sta(), so a more modest
over-claim can also copy stale event_body bytes into the
NL80211_CMD_NEW_STATION notification.
A malicious or malfunctioning mwifiex device (USB/SDIO/PCIe) can deliver
such an event while the interface is in AP/uAP mode.
Validate event->len before use: reject a length that underflows the
header or that would place the IEs outside the event_body[] buffer the
event was copied into. event->len here is struct mwifiex_assoc_event.len,
a payload field internal to this event, not the transport frame length,
so it is validated in this handler rather than at the generic
MWIFIEX_TYPE_EVENT receive path, which only sees the event cause and the
transport frame length. The bound is against event_body[MAX_EVENT_SIZE]
rather than the actually-received length because the transports store the
event differently (USB and SDIO leave the 4-byte event header in
event_skb, PCIe strips it via skb_pull), whereas event_body is the single
fixed buffer all of them copy the event into. This is the event-path
analogue of the receive-path bounds checks added in commit 119585281617
("wifi: mwifiex: Fix OOB and integer underflow when rx packets").
Fixes: e568634ae7ac ("mwifiex: add AP event handling framework")
Signed-off-by: HE WEI (ギカク) <skyexpoc@gmail.com>
---
v2: fold le16_to_cpu(event->len) into a local evt_len as requested, which
also shortens the bounds check. No functional change.
.../net/wireless/marvell/mwifiex/uap_event.c | 24 +++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/uap_event.c b/drivers/net/wireless/marvell/mwifiex/uap_event.c
index 679fdae0f001..ba1bdbbff687 100644
--- a/drivers/net/wireless/marvell/mwifiex/uap_event.c
+++ b/drivers/net/wireless/marvell/mwifiex/uap_event.c
@@ -123,11 +123,31 @@ int mwifiex_process_uap_event(struct mwifiex_private *priv)
len = ETH_ALEN;
if (len != -1) {
+ u16 evt_len = le16_to_cpu(event->len);
+
sinfo->assoc_req_ies = &event->data[len];
len = (u8 *)sinfo->assoc_req_ies -
(u8 *)&event->frame_control;
- sinfo->assoc_req_ies_len =
- le16_to_cpu(event->len) - (u16)len;
+
+ /*
+ * event->len is reported by the device firmware
+ * and is not otherwise validated. Reject a
+ * length that underflows the header, or that
+ * would place the association request IEs
+ * outside the fixed-size event_body[] buffer the
+ * event was copied into; otherwise the IE walk
+ * in mwifiex_set_sta_ht_cap() reads past
+ * event_body and out of the adapter slab object.
+ */
+ if (evt_len < len ||
+ (u8 *)&event->frame_control + evt_len >
+ adapter->event_body + MAX_EVENT_SIZE) {
+ mwifiex_dbg(adapter, ERROR,
+ "invalid STA assoc event length\n");
+ kfree(sinfo);
+ return -1;
+ }
+ sinfo->assoc_req_ies_len = evt_len - (u16)len;
}
}
cfg80211_new_sta(priv->netdev->ieee80211_ptr, event->sta_addr,
--
2.54.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH v2] wifi: mwifiex: bound uAP association event IEs to the event buffer
2026-07-15 13:57 [PATCH v2] wifi: mwifiex: bound uAP association event IEs to the event buffer HE WEI (ギカク)
@ 2026-07-15 16:28 ` Francesco Dolcini
2026-07-15 23:00 ` HE WEI(ギカク)
0 siblings, 1 reply; 3+ messages in thread
From: Francesco Dolcini @ 2026-07-15 16:28 UTC (permalink / raw)
To: HE WEI (ギカク)
Cc: Brian Norris, Francesco Dolcini, Miri Korenblit, Johannes Berg,
Kees Cook, Kalle Valo, linux-wireless, linux-kernel
On Wed, Jul 15, 2026 at 10:57:11PM +0900, HE WEI (ギカク) wrote:
> mwifiex_process_uap_event() handles EVENT_UAP_STA_ASSOC by exposing the
> (re)association request IEs that the firmware copies into the event:
>
> sinfo->assoc_req_ies = &event->data[len];
> len = (u8 *)sinfo->assoc_req_ies - (u8 *)&event->frame_control;
> sinfo->assoc_req_ies_len = le16_to_cpu(event->len) - (u16)len;
>
> event->len is supplied by the device firmware and is never validated,
> and the subtraction is unchecked. assoc_req_ies points into
...
>
> Fixes: e568634ae7ac ("mwifiex: add AP event handling framework")
> Signed-off-by: HE WEI (ギカク) <skyexpoc@gmail.com>
Where you able to test this? It looks ok, but you never know ...
Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH v2] wifi: mwifiex: bound uAP association event IEs to the event buffer
2026-07-15 16:28 ` Francesco Dolcini
@ 2026-07-15 23:00 ` HE WEI(ギカク)
0 siblings, 0 replies; 3+ messages in thread
From: HE WEI(ギカク) @ 2026-07-15 23:00 UTC (permalink / raw)
To: Francesco Dolcini
Cc: Brian Norris, Miri Korenblit, Johannes Berg, Kees Cook,
Kalle Valo, linux-wireless, linux-kernel
> Where you able to test this? It looks ok, but you never know ...
>
> Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Thanks for the review and the tag. Honest answer: not on real
hardware. I don't have a mwifiex device, and the event is delivered by
the device firmware, so I could not drive EVENT_UAP_STA_ASSOC through
an actual association.
What I did verify: the driver builds on arm64 with W=1 and KASAN
enabled, no new warnings. And I checked the logic with an
AddressSanitizer userspace model of the exact arithmetic and the
cfg80211_find_ie() / for_each_element() walk. Without the patch it
faults with a heap-buffer-overflow READ one byte past the region that
stands in for the end of event_body. With this bound check applied to
the same model, the underflow and the over-claim that would run past
event_body[MAX_EVENT_SIZE] are rejected before the walk, so ASan is
clean.
A full in-kernel KASAN reproduction would need an emulated mwifiex
device (raw-gadget plus dummy_hcd for the USB case) to inject the
crafted event, which I have not set up. If anyone with the hardware
sees a uAP STA association, dumping event->len for a normal client
would also confirm that honest firmware stays well under the bound.
No change is requested, so I was not planning a respin; please tell me
if you would prefer one.
Francesco Dolcini <francesco@dolcini.it> 于2026年7月16日周四 01:28写道:
>
> On Wed, Jul 15, 2026 at 10:57:11PM +0900, HE WEI (ギカク) wrote:
> > mwifiex_process_uap_event() handles EVENT_UAP_STA_ASSOC by exposing the
> > (re)association request IEs that the firmware copies into the event:
> >
> > sinfo->assoc_req_ies = &event->data[len];
> > len = (u8 *)sinfo->assoc_req_ies - (u8 *)&event->frame_control;
> > sinfo->assoc_req_ies_len = le16_to_cpu(event->len) - (u16)len;
> >
> > event->len is supplied by the device firmware and is never validated,
> > and the subtraction is unchecked. assoc_req_ies points into
> ...
>
> >
> > Fixes: e568634ae7ac ("mwifiex: add AP event handling framework")
> > Signed-off-by: HE WEI (ギカク) <skyexpoc@gmail.com>
>
> Where you able to test this? It looks ok, but you never know ...
>
> Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-15 23:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-15 13:57 [PATCH v2] wifi: mwifiex: bound uAP association event IEs to the event buffer HE WEI (ギカク)
2026-07-15 16:28 ` Francesco Dolcini
2026-07-15 23:00 ` HE WEI(ギカク)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox