From: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
To: Christian Lamparter <chunkeey@gmail.com>,
Deepanshu Kartikey <kartikey406@gmail.com>
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
syzbot+5c1ca6ccaa1215781cac@syzkaller.appspotmail.com,
tristan@talencesecurity.com, TristanInSec@gmail.com
Subject: Re: [PATCH] wifi: carl9170: fix stack-out-of-bounds in carl9170_cmd_callback
Date: Wed, 1 Jul 2026 11:47:52 -0700 [thread overview]
Message-ID: <85a5f48a-2eba-46ec-855b-c4f7abf8e264@oss.qualcomm.com> (raw)
In-Reply-To: <26e33fea-c81e-48f4-a058-4b3bf0dc95c5@gmail.com>
On 5/1/2026 3:17 AM, Christian Lamparter wrote:
> Hi,
>
> On 4/24/26 5:17 AM, Deepanshu Kartikey wrote:
>> carl9170_cmd_callback() does not return after calling
>> carl9170_restart() when an invalid command response is detected.
>> This causes a fall-through into the memcpy block below, where
>> ar->readbuf is written with a device-controlled length (len - 4)
>> instead of the expected ar->readlen bytes.
>>
>> A malicious or fuzzing USB device can send an oversized response
>> (e.g. 60 bytes) causing a stack-out-of-bounds write into ar->readbuf,
>> as detected by KASAN.
>>
>> Fix this by adding a return after carl9170_restart() to match the
>> original intent stated in the comment ("Do not complete"). Also cap
>> the memcpy with min_t() as defense-in-depth to prevent overflow even
>> if the control flow changes in future.
>>
>> The bug has been present since the initial driver submission in 2010.
>
>
> I've seen this before in a mail from Tristan Madani (CC'd) on the 13th of April 2026.
> Unfortunately, he didn't post this to the linux-wireless mailing-list. Instead
> he went for the Security Officers <security@kernel.org> , so I can't provide any link to it.
> That said, he since changed it because of the notes I had about the driver actually want to process
> further so only the memcpy that caused the overflow was modified with the same
> "min_t(u32, len - 4, ar->readlen)" instead of "len -4" as the length:
> "[PATCH v3 1/3] wifi: carl9170: bound memcpy length in cmd callback to prevent OOB read"
>
> https://lore.kernel.org/linux-wireless/20260421134929.325662-2-tristmd@gmail.com/
>
> So, who should get the credit? Maybe another person will post a patch soon too? Who knows.
My plan is to take Tristan's series once I get ACKs.
Any other contributions that conflict with his will be dropped.
/jeff
prev parent reply other threads:[~2026-07-01 18:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 3:17 [PATCH] wifi: carl9170: fix stack-out-of-bounds in carl9170_cmd_callback Deepanshu Kartikey
2026-05-01 10:17 ` Christian Lamparter
2026-07-01 18:47 ` Jeff Johnson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=85a5f48a-2eba-46ec-855b-c4f7abf8e264@oss.qualcomm.com \
--to=jeff.johnson@oss.qualcomm.com \
--cc=TristanInSec@gmail.com \
--cc=chunkeey@gmail.com \
--cc=kartikey406@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=syzbot+5c1ca6ccaa1215781cac@syzkaller.appspotmail.com \
--cc=tristan@talencesecurity.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox