Linux wireless drivers development
 help / color / mirror / Atom feed
* [PATCH wireless] wifi: p54: validate RX frame length in p54_rx_eeprom_readback()
@ 2026-06-28  0:05 Xiang Mei
  2026-07-04 20:08 ` Christian Lamparter
  0 siblings, 1 reply; 2+ messages in thread
From: Xiang Mei @ 2026-06-28  0:05 UTC (permalink / raw)
  To: Christian Lamparter, linux-wireless
  Cc: linux-kernel, Johannes Berg, Arien Judge, Lachlan Hodges,
	Weiming Shi, Xiang Mei

p54_rx_eeprom_readback() copies the requested EEPROM slice out of a
device-supplied readback frame without checking that the skb actually holds
that many bytes. Commit da1b9a55ff11 ("wifi: p54: prevent buffer-overflow in
p54_rx_eeprom_readback()") closed the destination overflow by copying a
fixed priv->eeprom_slice_size (and rejecting a mismatched advertised len),
but the source side is still unbounded: nothing verifies the frame is long
enough to supply that many bytes.

A malicious USB device can send a short frame whose advertised len matches
priv->eeprom_slice_size while the payload is truncated. The equality check
passes and memcpy() reads past the end of the skb, leaking adjacent heap:

  BUG: KASAN: slab-out-of-bounds in p54_rx (drivers/net/wireless/intersil/p54/txrx.c:507)
  Read of size 1016 at addr ffff88800f077114 by task swapper/0/0
  Call Trace:
   <IRQ>
   ...
   __asan_memcpy (mm/kasan/shadow.c:105)
   p54_rx (drivers/net/wireless/intersil/p54/txrx.c:507)
   p54u_rx_cb (drivers/net/wireless/intersil/p54/p54usb.c:163)
   __usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1657)
   dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:2005)
   ...
   </IRQ>

  The buggy address belongs to the object at ffff88800f0770c0
   which belongs to the cache skbuff_small_head of size 704
  The buggy address is located 84 bytes inside of
   allocated 704-byte region [ffff88800f0770c0, ffff88800f077380)

Check that the slice fits in the skb before copying.

Fixes: 7cb770729ba8 ("p54: move eeprom code into common library")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
 drivers/net/wireless/intersil/p54/txrx.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/net/wireless/intersil/p54/txrx.c b/drivers/net/wireless/intersil/p54/txrx.c
index 1294a1d6528e..9f491334c8d0 100644
--- a/drivers/net/wireless/intersil/p54/txrx.c
+++ b/drivers/net/wireless/intersil/p54/txrx.c
@@ -499,11 +499,19 @@ static void p54_rx_eeprom_readback(struct p54_common *priv,
 		if (le16_to_cpu(eeprom->v2.len) != priv->eeprom_slice_size)
 			return;
 
+		if (eeprom->v2.data + priv->eeprom_slice_size >
+		    skb_tail_pointer(skb))
+			return;
+
 		memcpy(priv->eeprom, eeprom->v2.data, priv->eeprom_slice_size);
 	} else {
 		if (le16_to_cpu(eeprom->v1.len) != priv->eeprom_slice_size)
 			return;
 
+		if (eeprom->v1.data + priv->eeprom_slice_size >
+		    skb_tail_pointer(skb))
+			return;
+
 		memcpy(priv->eeprom, eeprom->v1.data, priv->eeprom_slice_size);
 	}
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH wireless] wifi: p54: validate RX frame length in p54_rx_eeprom_readback()
  2026-06-28  0:05 [PATCH wireless] wifi: p54: validate RX frame length in p54_rx_eeprom_readback() Xiang Mei
@ 2026-07-04 20:08 ` Christian Lamparter
  0 siblings, 0 replies; 2+ messages in thread
From: Christian Lamparter @ 2026-07-04 20:08 UTC (permalink / raw)
  To: Xiang Mei, linux-wireless
  Cc: linux-kernel, Johannes Berg, Arien Judge, Lachlan Hodges,
	Weiming Shi

On 6/28/26 2:05 AM, Xiang Mei wrote:
> p54_rx_eeprom_readback() copies the requested EEPROM slice out of a
> device-supplied readback frame without checking that the skb actually holds
> that many bytes. Commit da1b9a55ff11 ("wifi: p54: prevent buffer-overflow in
> p54_rx_eeprom_readback()") closed the destination overflow by copying a
> fixed priv->eeprom_slice_size (and rejecting a mismatched advertised len),
> but the source side is still unbounded: nothing verifies the frame is long
> enough to supply that many bytes.
> 
> A malicious USB device can send a short frame whose advertised len matches
> priv->eeprom_slice_size while the payload is truncated. The equality check
> passes and memcpy() reads past the end of the skb, leaking adjacent heap:
> 
>    BUG: KASAN: slab-out-of-bounds in p54_rx (drivers/net/wireless/intersil/p54/txrx.c:507)
>    Read of size 1016 at addr ffff88800f077114 by task swapper/0/0
>    Call Trace:
>     <IRQ>
>     ...
>     __asan_memcpy (mm/kasan/shadow.c:105)
>     p54_rx (drivers/net/wireless/intersil/p54/txrx.c:507)
>     p54u_rx_cb (drivers/net/wireless/intersil/p54/p54usb.c:163)
>     __usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1657)
>     dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:2005)
>     ...
>     </IRQ>
> 
>    The buggy address belongs to the object at ffff88800f0770c0
>     which belongs to the cache skbuff_small_head of size 704
>    The buggy address is located 84 bytes inside of
>     allocated 704-byte region [ffff88800f0770c0, ffff88800f077380)
> 
> Check that the slice fits in the skb before copying.
> 
> Fixes: 7cb770729ba8 ("p54: move eeprom code into common library")

Sure

Acked-by: Christian Lamparter <chunkeey@gmail.com>

> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Xiang Mei <xmei5@asu.edu>
> ---
>   drivers/net/wireless/intersil/p54/txrx.c | 8 ++++++++
>   1 file changed, 8 insertions(+)
> 
> diff --git a/drivers/net/wireless/intersil/p54/txrx.c b/drivers/net/wireless/intersil/p54/txrx.c
> index 1294a1d6528e..9f491334c8d0 100644
> --- a/drivers/net/wireless/intersil/p54/txrx.c
> +++ b/drivers/net/wireless/intersil/p54/txrx.c
> @@ -499,11 +499,19 @@ static void p54_rx_eeprom_readback(struct p54_common *priv,
>   		if (le16_to_cpu(eeprom->v2.len) != priv->eeprom_slice_size)
>   			return;
>   
> +		if (eeprom->v2.data + priv->eeprom_slice_size >
> +		    skb_tail_pointer(skb))
> +			return;
> +
>   		memcpy(priv->eeprom, eeprom->v2.data, priv->eeprom_slice_size);
>   	} else {
>   		if (le16_to_cpu(eeprom->v1.len) != priv->eeprom_slice_size)
>   			return;
>   
> +		if (eeprom->v1.data + priv->eeprom_slice_size >
> +		    skb_tail_pointer(skb))
> +			return;
> +
>   		memcpy(priv->eeprom, eeprom->v1.data, priv->eeprom_slice_size);
>   	}
>   


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-04 20:08 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-28  0:05 [PATCH wireless] wifi: p54: validate RX frame length in p54_rx_eeprom_readback() Xiang Mei
2026-07-04 20:08 ` Christian Lamparter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox