[PATCH wireless 0/3] wifi: mt76: Fix possible out-of-bound accesses in mt76 driver

public inbox for linux-wireless@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH wireless 0/3] wifi: mt76: Fix possible out-of-bound accesses in mt76 driver
@ 2026-02-26 19:11 Lorenzo Bianconi
  2026-02-26 19:11 ` [PATCH wireless 1/3] wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211() Lorenzo Bianconi
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Lorenzo Bianconi @ 2026-02-26 19:11 UTC (permalink / raw)
  To: Felix Fietkau, Ryder Lee, Shayne Chen, Sean Wang,
	Matthias Brugger, AngeloGioacchino Del Regno, StanleyYP Wang,
	Peter Chiu, MeiChia Chiu, Leon Yen, Deren Wu, Quan Zhou,
	Mingyen Hsieh
  Cc: Johannes Berg, Howard Hsu, Bo Jiao, linux-wireless,
	linux-arm-kernel, linux-mediatek, Hao Zhang, Nelson Yu,
	Lorenzo Bianconi

Check mgmt frame length before accessing header fields in order to avoid
a possible oob access for injected frames.

---
Lorenzo Bianconi (3):
      wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()
      wifi: mt76: mt7925: Fix possible oob access in mt7925_mac_write_txwi_80211()
      wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()

 drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 1 +
 drivers/net/wireless/mediatek/mt76/mt7925/mac.c      | 1 +
 drivers/net/wireless/mediatek/mt76/mt7996/mac.c      | 1 +
 3 files changed, 3 insertions(+)
---
base-commit: 8bf22c33e7a172fbc72464f4cc484d23a6b412ba
change-id: 20260226-mt76-addba-req-oob-access-848280920814

Best regards,
-- 
Lorenzo Bianconi <lorenzo@kernel.org>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH wireless 1/3] wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()
  2026-02-26 19:11 [PATCH wireless 0/3] wifi: mt76: Fix possible out-of-bound accesses in mt76 driver Lorenzo Bianconi
@ 2026-02-26 19:11 ` Lorenzo Bianconi
  2026-02-26 19:11 ` [PATCH wireless 2/3] wifi: mt76: mt7925: Fix possible oob access in mt7925_mac_write_txwi_80211() Lorenzo Bianconi
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Lorenzo Bianconi @ 2026-02-26 19:11 UTC (permalink / raw)
  To: Felix Fietkau, Ryder Lee, Shayne Chen, Sean Wang,
	Matthias Brugger, AngeloGioacchino Del Regno, StanleyYP Wang,
	Peter Chiu, MeiChia Chiu, Leon Yen, Deren Wu, Quan Zhou,
	Mingyen Hsieh
  Cc: Johannes Berg, Howard Hsu, Bo Jiao, linux-wireless,
	linux-arm-kernel, linux-mediatek, Hao Zhang, Nelson Yu,
	Lorenzo Bianconi

Check frame length before accessing the mgmt fields in
mt7996_mac_write_txwi_80211 in order to avoid a possible oob access.

Fixes: 98686cd21624c ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
---
 drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index 2560e2f46e89a4bc46e21d796fca80b7decefa5c..d4f3ee943b4727a0e20f96a55db3bf055df20cc7 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -800,6 +800,7 @@ mt7996_mac_write_txwi_80211(struct mt7996_dev *dev, __le32 *txwi,
 	u32 val;
 
 	if (ieee80211_is_action(fc) &&
+	    skb->len >= IEEE80211_MIN_ACTION_SIZE + 1 &&
 	    mgmt->u.action.category == WLAN_CATEGORY_BACK &&
 	    mgmt->u.action.u.addba_req.action_code == WLAN_ACTION_ADDBA_REQ) {
 		if (is_mt7990(&dev->mt76))

-- 
2.53.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH wireless 2/3] wifi: mt76: mt7925: Fix possible oob access in mt7925_mac_write_txwi_80211()
  2026-02-26 19:11 [PATCH wireless 0/3] wifi: mt76: Fix possible out-of-bound accesses in mt76 driver Lorenzo Bianconi
  2026-02-26 19:11 ` [PATCH wireless 1/3] wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211() Lorenzo Bianconi
@ 2026-02-26 19:11 ` Lorenzo Bianconi
  2026-02-26 19:11 ` [PATCH wireless 3/3] wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Lorenzo Bianconi
  2026-02-26 21:08 ` [PATCH wireless 0/3] wifi: mt76: Fix possible out-of-bound accesses in mt76 driver Lorenzo Bianconi
  3 siblings, 0 replies; 5+ messages in thread
From: Lorenzo Bianconi @ 2026-02-26 19:11 UTC (permalink / raw)
  To: Felix Fietkau, Ryder Lee, Shayne Chen, Sean Wang,
	Matthias Brugger, AngeloGioacchino Del Regno, StanleyYP Wang,
	Peter Chiu, MeiChia Chiu, Leon Yen, Deren Wu, Quan Zhou,
	Mingyen Hsieh
  Cc: Johannes Berg, Howard Hsu, Bo Jiao, linux-wireless,
	linux-arm-kernel, linux-mediatek, Hao Zhang, Nelson Yu,
	Lorenzo Bianconi

Check frame length before accessing the mgmt fields in
mt7925_mac_write_txwi_80211 in order to avoid a possible oob access.

Fixes: c948b5da6bbec ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
---
 drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
index 871b67101976a7d72ca10c9736ccfa59b0f21122..0d94359004233e94c11a2d09f67b1ae61ccf71ad 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
@@ -668,6 +668,7 @@ mt7925_mac_write_txwi_80211(struct mt76_dev *dev, __le32 *txwi,
 	u32 val;
 
 	if (ieee80211_is_action(fc) &&
+	    skb->len >= IEEE80211_MIN_ACTION_SIZE + 1 &&
 	    mgmt->u.action.category == WLAN_CATEGORY_BACK &&
 	    mgmt->u.action.u.addba_req.action_code == WLAN_ACTION_ADDBA_REQ)
 		tid = MT_TX_ADDBA;

-- 
2.53.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH wireless 3/3] wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()
  2026-02-26 19:11 [PATCH wireless 0/3] wifi: mt76: Fix possible out-of-bound accesses in mt76 driver Lorenzo Bianconi
  2026-02-26 19:11 ` [PATCH wireless 1/3] wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211() Lorenzo Bianconi
  2026-02-26 19:11 ` [PATCH wireless 2/3] wifi: mt76: mt7925: Fix possible oob access in mt7925_mac_write_txwi_80211() Lorenzo Bianconi
@ 2026-02-26 19:11 ` Lorenzo Bianconi
  2026-02-26 21:08 ` [PATCH wireless 0/3] wifi: mt76: Fix possible out-of-bound accesses in mt76 driver Lorenzo Bianconi
  3 siblings, 0 replies; 5+ messages in thread
From: Lorenzo Bianconi @ 2026-02-26 19:11 UTC (permalink / raw)
  To: Felix Fietkau, Ryder Lee, Shayne Chen, Sean Wang,
	Matthias Brugger, AngeloGioacchino Del Regno, StanleyYP Wang,
	Peter Chiu, MeiChia Chiu, Leon Yen, Deren Wu, Quan Zhou,
	Mingyen Hsieh
  Cc: Johannes Berg, Howard Hsu, Bo Jiao, linux-wireless,
	linux-arm-kernel, linux-mediatek, Hao Zhang, Nelson Yu,
	Lorenzo Bianconi

Check frame length before accessing the mgmt fields in
mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob
access.

Fixes: 182071cdd594b ("mt76: connac: move connac2_mac_write_txwi in mt76_connac module")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
---
 drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
index 3304b5971be09e4c20178bdff66febf67bcd5c19..ad66a64200213a45e44d6f30a7a1e4306fd84240 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
@@ -413,6 +413,7 @@ mt76_connac2_mac_write_txwi_80211(struct mt76_dev *dev, __le32 *txwi,
 	u32 val;
 
 	if (ieee80211_is_action(fc) &&
+	    skb->len >= IEEE80211_MIN_ACTION_SIZE + 1 &&
 	    mgmt->u.action.category == WLAN_CATEGORY_BACK &&
 	    mgmt->u.action.u.addba_req.action_code == WLAN_ACTION_ADDBA_REQ) {
 		u16 capab = le16_to_cpu(mgmt->u.action.u.addba_req.capab);

-- 
2.53.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH wireless 0/3] wifi: mt76: Fix possible out-of-bound accesses in mt76 driver
  2026-02-26 19:11 [PATCH wireless 0/3] wifi: mt76: Fix possible out-of-bound accesses in mt76 driver Lorenzo Bianconi
                   ` (2 preceding siblings ...)
  2026-02-26 19:11 ` [PATCH wireless 3/3] wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Lorenzo Bianconi
@ 2026-02-26 21:08 ` Lorenzo Bianconi
  3 siblings, 0 replies; 5+ messages in thread
From: Lorenzo Bianconi @ 2026-02-26 21:08 UTC (permalink / raw)
  To: Felix Fietkau, Ryder Lee, Shayne Chen, Sean Wang,
	Matthias Brugger, AngeloGioacchino Del Regno, StanleyYP Wang,
	Peter Chiu, MeiChia Chiu, Leon Yen, Deren Wu, Quan Zhou,
	Mingyen Hsieh
  Cc: Johannes Berg, Howard Hsu, Bo Jiao, linux-wireless,
	linux-arm-kernel, linux-mediatek, Hao Zhang, Nelson Yu

[-- Attachment #1: Type: text/plain, Size: 994 bytes --]

> Check mgmt frame length before accessing header fields in order to avoid
> a possible oob access for injected frames.

Hi Felix,

do you think these patches can go directly into the wireless tree or do you
prefer to get them into your tree?

Regards,
Lorenzo

> 
> ---
> Lorenzo Bianconi (3):
>       wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()
>       wifi: mt76: mt7925: Fix possible oob access in mt7925_mac_write_txwi_80211()
>       wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()
> 
>  drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 1 +
>  drivers/net/wireless/mediatek/mt76/mt7925/mac.c      | 1 +
>  drivers/net/wireless/mediatek/mt76/mt7996/mac.c      | 1 +
>  3 files changed, 3 insertions(+)
> ---
> base-commit: 8bf22c33e7a172fbc72464f4cc484d23a6b412ba
> change-id: 20260226-mt76-addba-req-oob-access-848280920814
> 
> Best regards,
> -- 
> Lorenzo Bianconi <lorenzo@kernel.org>
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-02-26 21:08 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-26 19:11 [PATCH wireless 0/3] wifi: mt76: Fix possible out-of-bound accesses in mt76 driver Lorenzo Bianconi
2026-02-26 19:11 ` [PATCH wireless 1/3] wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211() Lorenzo Bianconi
2026-02-26 19:11 ` [PATCH wireless 2/3] wifi: mt76: mt7925: Fix possible oob access in mt7925_mac_write_txwi_80211() Lorenzo Bianconi
2026-02-26 19:11 ` [PATCH wireless 3/3] wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Lorenzo Bianconi
2026-02-26 21:08 ` [PATCH wireless 0/3] wifi: mt76: Fix possible out-of-bound accesses in mt76 driver Lorenzo Bianconi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox