Linux wireless drivers development
 help / color / mirror / Atom feed
* [PATCH] wifi: ar5523: fix integer underflow in ar5523_data_rx_cb()
@ 2025-11-03 19:55 pip-izony
  2026-07-16 22:15 ` Jeff Johnson
  0 siblings, 1 reply; 3+ messages in thread
From: pip-izony @ 2025-11-03 19:55 UTC (permalink / raw)
  To: Ingo Molnar, Thomas Gleixner, Johannes Berg, Roopni Devanathan
  Cc: Seungjin Bae, Kyungtae Kim, Pontus Fuchs, John W . Linville,
	linux-wireless, linux-kernel

From: Seungjin Bae <eeodqql09@gmail.com>

In ar5523_data_rx_cb(), the `rxlen` variable is derived from desc->len,
which is provided by the USB device.

The function checks for an upper bound (rxlen > ar->rxbufsz) and for a
zero value (!rxlen), but it fails to check for a proper lower bound
against the size of the descriptor.

If a malicious device provides an `rxlen` value that is positive
but smaller than sizeof(struct ar5523_rx_desc), the subtraction in
the call to skb_put() will result in an integer underflow.

This passes a very large unsigned value to skb_put(), which then
triggers a kernel panic upon detecting the potential buffer overflow.

Fix this by adding a check to ensure `rxlen` is at least
sizeof(struct ar5523_rx_desc) before performing the substraction.

Fixes: b7d572e1871df ("ar5523: Add new driver")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
 drivers/net/wireless/ath/ar5523/ar5523.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
index 1230e6278f23..dfaccf241560 100644
--- a/drivers/net/wireless/ath/ar5523/ar5523.c
+++ b/drivers/net/wireless/ath/ar5523/ar5523.c
@@ -589,6 +589,12 @@ static void ar5523_data_rx_cb(struct urb *urb)
 		goto skip;
 	}
 
+	if (rxlen < sizeof(struct ar5523_rx_desc)) {
+		ar5523_dbg(ar, "RX: Bad descriptor (len=%d is too small)\n",
+			   rxlen);
+		goto skip;
+	}
+
 	skb_reserve(data->skb, sizeof(*chunk));
 	skb_put(data->skb, rxlen - sizeof(struct ar5523_rx_desc));
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] wifi: ar5523: fix integer underflow in ar5523_data_rx_cb()
  2025-11-03 19:55 [PATCH] wifi: ar5523: fix integer underflow in ar5523_data_rx_cb() pip-izony
@ 2026-07-16 22:15 ` Jeff Johnson
  2026-07-17 11:02   ` [PATCH v2] wifi: ar5523: validate rxlen against descriptor size and usblen " pip-izony
  0 siblings, 1 reply; 3+ messages in thread
From: Jeff Johnson @ 2026-07-16 22:15 UTC (permalink / raw)
  To: pip-izony, Ingo Molnar, Thomas Gleixner, Johannes Berg,
	Roopni Devanathan
  Cc: Kyungtae Kim, Pontus Fuchs, John W . Linville, linux-wireless,
	linux-kernel

On 11/3/2025 11:55 AM, pip-izony wrote:
> From: Seungjin Bae <eeodqql09@gmail.com>
> 
> In ar5523_data_rx_cb(), the `rxlen` variable is derived from desc->len,
> which is provided by the USB device.
> 
> The function checks for an upper bound (rxlen > ar->rxbufsz) and for a
> zero value (!rxlen), but it fails to check for a proper lower bound
> against the size of the descriptor.
> 
> If a malicious device provides an `rxlen` value that is positive
> but smaller than sizeof(struct ar5523_rx_desc), the subtraction in
> the call to skb_put() will result in an integer underflow.
> 
> This passes a very large unsigned value to skb_put(), which then
> triggers a kernel panic upon detecting the potential buffer overflow.
> 
> Fix this by adding a check to ensure `rxlen` is at least
> sizeof(struct ar5523_rx_desc) before performing the substraction.
> 
> Fixes: b7d572e1871df ("ar5523: Add new driver")
> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
> ---
>  drivers/net/wireless/ath/ar5523/ar5523.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
> index 1230e6278f23..dfaccf241560 100644
> --- a/drivers/net/wireless/ath/ar5523/ar5523.c
> +++ b/drivers/net/wireless/ath/ar5523/ar5523.c
> @@ -589,6 +589,12 @@ static void ar5523_data_rx_cb(struct urb *urb)
>  		goto skip;
>  	}
>  
> +	if (rxlen < sizeof(struct ar5523_rx_desc)) {
> +		ar5523_dbg(ar, "RX: Bad descriptor (len=%d is too small)\n",
> +			   rxlen);
> +		goto skip;
> +	}
> +
>  	skb_reserve(data->skb, sizeof(*chunk));
>  	skb_put(data->skb, rxlen - sizeof(struct ar5523_rx_desc));
>  

Since this is an orphaned driver, this patch has been sitting in my patchwork
queue for a very long time. Today I decided to take a look.

The patch does address the issue mentioned, but really doesn't completely
address the crux of the issue. I believe there should be a fixed correlation
between the rxlen and the usblen. I posed the following question to my review
agent:

given that the usblen should account for the ar5523_chunk header, the payload,
and the ar5523_rx_desc, shouldn't the rxlen always be the same as the usblen -
sizeof(ar5523_chunk)?

And my agent agreed:

Yes, that's exactly right. Looking at the struct comment "msg length including
header" for desc->len and the frame layout:

  [ar5523_chunk (4B)] [802.11 payload] [ar5523_rx_desc]
   ←──────────────────── usblen ──────────────────────→

  The invariant should be:

  rxlen == usblen - sizeof(ar5523_chunk)

  Because rxlen covers [802.11 payload] + [ar5523_rx_desc], and usblen covers
everything including the chunk header.

  The code never cross-validates them. It independently bounds-checks usblen
(via AR5523_MIN_RXBUFSZ) and rxlen (upper bound vs rxbufsz, lower bound added
by the patch), but if a malicious device provides rxlen > usblen -
sizeof(ar5523_chunk), then:

  skb_put(data->skb, rxlen - sizeof(struct ar5523_rx_desc));

  ...would expose bytes beyond the actual 802.11 payload — potentially biting
into the ar5523_rx_desc trailer bytes, or uninitialized skb tail space up to
rxbufsz, and pass that garbage to ieee80211_rx_irqsafe().

  The existing upper bound check rxlen > ar->rxbufsz prevents a skb_put
overflow (since the skb is allocated with rxbufsz), but it's far too loose.
The right check would be:

  if (rxlen != usblen - sizeof(struct ar5523_chunk))
      goto skip;

  Or at minimum a strict upper bound:

  if (rxlen > usblen - sizeof(struct ar5523_chunk))
      goto skip;

  So the patch fixes the underflow but misses this inconsistency between rxlen
and usblen that could allow overreading valid-but-wrong data within the skb
buffer.

So please consider this analysis and propose a v2

/jeff

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH v2] wifi: ar5523: validate rxlen against descriptor size and usblen in ar5523_data_rx_cb()
  2026-07-16 22:15 ` Jeff Johnson
@ 2026-07-17 11:02   ` pip-izony
  0 siblings, 0 replies; 3+ messages in thread
From: pip-izony @ 2026-07-17 11:02 UTC (permalink / raw)
  To: Jeff Johnson, Kees Cook
  Cc: Seungjin Bae, Kyungtae Kim, Pontus Fuchs, John W . Linville,
	linux-wireless, linux-kernel

From: Seungjin Bae <eeodqql09@gmail.com>

In ar5523_data_rx_cb(), the `rxlen` variable is derived from desc->len,
which is provided by the USB device.

The function checks for an upper bound (rxlen > ar->rxbufsz) and for a
zero value (!rxlen), but it fails to check for a proper lower bound
against the size of the descriptor.

If a malicious device provides an `rxlen` value that is positive
but smaller than sizeof(struct ar5523_rx_desc), the subtraction in
the call to skb_put() will result in an integer underflow.

This passes a very large unsigned value to skb_put(), which then
triggers a kernel panic upon detecting the potential buffer overflow.

Fix this by adding a check to ensure `rxlen` is at least
sizeof(struct ar5523_rx_desc) before performing the subtraction.

Additionally, `rxlen` is not cross-checked against usblen (the number
of bytes actually received). Since the frame layout is
[ar5523_chunk][802.11 payload][ar5523_rx_desc] and `usblen` covers the
whole buffer, a valid rxlen cannot exceed `usblen - sizeof(chunk)`. A
device reporting a larger `rxlen` would cause skb_put() to expose
descriptor trailer bytes or uninitialized skb tail data as 802.11
payload to ieee80211_rx_irqsafe().

Add a check to reject such frames.

Fixes: b7d572e1871df ("ar5523: Add new driver")
Suggested-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
 v1 -> v2: cross-check rxlen against usblen to prevent overreading past the received payload
 
 drivers/net/wireless/ath/ar5523/ar5523.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
index 66ac396858a5..3ee4b020f416 100644
--- a/drivers/net/wireless/ath/ar5523/ar5523.c
+++ b/drivers/net/wireless/ath/ar5523/ar5523.c
@@ -589,6 +589,18 @@ static void ar5523_data_rx_cb(struct urb *urb)
 		goto skip;
 	}
 
+	if (rxlen < sizeof(struct ar5523_rx_desc)) {
+		ar5523_dbg(ar, "RX: Bad descriptor (len=%u is too small)\n",
+			   rxlen);
+		goto skip;
+	}
+
+	if (rxlen > usblen - sizeof(struct ar5523_chunk)) {
+		ar5523_dbg(ar, "RX: rxlen too large (rxlen=%u usblen=%d)\n",
+			   rxlen, usblen);
+		goto skip;
+	}
+
 	skb_reserve(data->skb, sizeof(*chunk));
 	skb_put(data->skb, rxlen - sizeof(struct ar5523_rx_desc));
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-07-17 11:03 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-03 19:55 [PATCH] wifi: ar5523: fix integer underflow in ar5523_data_rx_cb() pip-izony
2026-07-16 22:15 ` Jeff Johnson
2026-07-17 11:02   ` [PATCH v2] wifi: ar5523: validate rxlen against descriptor size and usblen " pip-izony

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox