[PATCH v2 0/2] wifi: b43: fix OOB read and infinite loop from hardware-reported values

[PATCH v2 0/2] wifi: b43: fix OOB read and infinite loop from hardware-reported values

[Tristan Madani]

From: Tristan Madani <tristan@talencesecurity.com>

Hi Johannes,

Note: this is a v2 resubmission. The original was sent via Gmail which
caused HTML rendering issues. This version uses git send-email for
proper plain-text formatting.

Two issues in b43 where hardware-reported values are used without
bounds checking:

Proposed fixes in the following patches.

Thanks,
Tristan

[PATCH v2 1/2] wifi: b43: fix infinite loop from invalid hardware DMA RX slot

[Tristan Madani]

From: Tristan Madani <tristan@talencesecurity.com>

b43_dma_rx() reads current_slot from hardware via get_current_rxslot().
If the value is >= ring->nr_slots, the B43_WARN_ON only warns but
continues. The for loop then never terminates because next_slot() wraps
modulo nr_slots and can never reach the out-of-range current_slot.

Replace the B43_WARN_ON with an explicit bounds check that returns
early when the hardware reports an invalid slot index.

Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/net/wireless/broadcom/b43/dma.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/broadcom/b43/dma.c b/drivers/net/wireless/broadcom/b43/dma.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/broadcom/b43/dma.c
+++ b/drivers/net/wireless/broadcom/b43/dma.c
@@ -1693,7 +1693,10 @@ void b43_dma_rx(struct b43_dmaring *ring)
 	B43_WARN_ON(ring->tx);
 	current_slot = ops->get_current_rxslot(ring);
-	B43_WARN_ON(!(current_slot >= 0 && current_slot < ring->nr_slots));
+	if (!(current_slot >= 0 && current_slot < ring->nr_slots)) {
+		B43_WARN_ON(1);
+		return;
+	}

 	slot = ring->current_slot;
 	for (; slot != current_slot; slot = next_slot(ring, slot)) {
--
2.43.0

Re: [PATCH v2 1/2] wifi: b43: fix infinite loop from invalid hardware DMA RX slot

[Jonas Gorski]

Hi,

On Thu, Apr 16, 2026 at 12:24 AM Tristan Madani <tristmd@gmail.com> wrote:
>
> From: Tristan Madani <tristan@talencesecurity.com>
>
> b43_dma_rx() reads current_slot from hardware via get_current_rxslot().
> If the value is >= ring->nr_slots, the B43_WARN_ON only warns but
> continues. The for loop then never terminates because next_slot() wraps
> modulo nr_slots and can never reach the out-of-range current_slot.
>
> Replace the B43_WARN_ON with an explicit bounds check that returns
> early when the hardware reports an invalid slot index.
>
> Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
> ---
> drivers/net/wireless/broadcom/b43/dma.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/broadcom/b43/dma.c b/drivers/net/wireless/broadcom/b43/dma.c
> index XXXXXXX..XXXXXXX 100644
> --- a/drivers/net/wireless/broadcom/b43/dma.c
> +++ b/drivers/net/wireless/broadcom/b43/dma.c
> @@ -1693,7 +1693,10 @@ void b43_dma_rx(struct b43_dmaring *ring)
>         B43_WARN_ON(ring->tx);
>         current_slot = ops->get_current_rxslot(ring);
> -       B43_WARN_ON(!(current_slot >= 0 && current_slot < ring->nr_slots));
> +       if (!(current_slot >= 0 && current_slot < ring->nr_slots)) {
> +               B43_WARN_ON(1);
> +               return;
> +       }

B43_WARN_ON() returns the condition's result, so you can shorten this to

if (B43_WARN_ON(!(current_slot >= 0 && current_slot < ring->nr_slots)))
        return;

Best regards,
Jonas

Re: [PATCH v2 1/2] wifi: b43: fix infinite loop from invalid hardware DMA RX slot

[Michael Büsch]

[-- Attachment #1: Type: text/plain, Size: 1066 bytes --]

On Thu, 16 Apr 2026 08:34:00 +0200
Jonas Gorski <jonas.gorski@gmail.com> wrote:

> > diff --git a/drivers/net/wireless/broadcom/b43/dma.c b/drivers/net/wireless/broadcom/b43/dma.c
> > index XXXXXXX..XXXXXXX 100644
> > --- a/drivers/net/wireless/broadcom/b43/dma.c
> > +++ b/drivers/net/wireless/broadcom/b43/dma.c
> > @@ -1693,7 +1693,10 @@ void b43_dma_rx(struct b43_dmaring *ring)
> >         B43_WARN_ON(ring->tx);
> >         current_slot = ops->get_current_rxslot(ring);
> > -       B43_WARN_ON(!(current_slot >= 0 && current_slot < ring->nr_slots));
> > +       if (!(current_slot >= 0 && current_slot < ring->nr_slots)) {
> > +               B43_WARN_ON(1);
> > +               return;
> > +       }  
> 
> B43_WARN_ON() returns the condition's result, so you can shorten this to
> 
> if (B43_WARN_ON(!(current_slot >= 0 && current_slot < ring->nr_slots)))
>         return;


Acked-by: Michael Büsch <m@bues.ch>

Please also check the b43legacy driver. It may contain exactly the same code.

-- 
Michael Büsch
https://bues.ch/

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[PATCH v2 2/2] wifi: b43: fix OOB read from hardware key index in b43_rx()

[Tristan Madani]

From: Tristan Madani <tristan@talencesecurity.com>

The firmware-controlled key index in b43_rx() can exceed the dev->key[]
array size (58 entries). The existing B43_WARN_ON is non-enforcing in
production builds, allowing an out-of-bounds read of 1 byte from struct
b43_firmware. A non-zero OOB value causes RX_FLAG_DECRYPTED to be
incorrectly set on un-decrypted frames.

Replace with an enforcing check that skips the key lookup for invalid
indices.

Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/net/wireless/broadcom/b43/xmit.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/broadcom/b43/xmit.c
+++ b/drivers/net/wireless/broadcom/b43/xmit.c
@@ -704,7 +704,10 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr)
 		 */
 		keyidx = b43_kidx_to_raw(dev, keyidx);
-		B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
+		if (keyidx >= ARRAY_SIZE(dev->key)) {
+			b43dbg(dev->wl, "RX: invalid key index %u\n", keyidx);
+			goto drop;
+		}

 		if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) {
 			wlhdr_len = ieee80211_hdrlen(fctl);

Re: [PATCH v2 2/2] wifi: b43: fix OOB read from hardware key index in b43_rx()

[Jonas Gorski]

Hi,

On Thu, Apr 16, 2026 at 12:24 AM Tristan Madani <tristmd@gmail.com> wrote:
>
> From: Tristan Madani <tristan@talencesecurity.com>
>
> The firmware-controlled key index in b43_rx() can exceed the dev->key[]
> array size (58 entries). The existing B43_WARN_ON is non-enforcing in
> production builds, allowing an out-of-bounds read of 1 byte from struct
> b43_firmware. A non-zero OOB value causes RX_FLAG_DECRYPTED to be
> incorrectly set on un-decrypted frames.
>
> Replace with an enforcing check that skips the key lookup for invalid
> indices.
>
> Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
> ---
> drivers/net/wireless/broadcom/b43/xmit.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c
> index XXXXXXX..XXXXXXX 100644
> --- a/drivers/net/wireless/broadcom/b43/xmit.c
> +++ b/drivers/net/wireless/broadcom/b43/xmit.c
> @@ -704,7 +704,10 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr)
>                  */
>                 keyidx = b43_kidx_to_raw(dev, keyidx);
> -               B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
> +               if (keyidx >= ARRAY_SIZE(dev->key)) {
> +                       b43dbg(dev->wl, "RX: invalid key index %u\n", keyidx);
> +                       goto drop;
> +               }

B43_WARN_ON() returns the condition's result, so if you keep it you
can shorten this to

if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)))
        goto drop;

Best regards,
Jonas

Re: [PATCH v2 2/2] wifi: b43: fix OOB read from hardware key index in b43_rx()

[Michael Büsch]

[-- Attachment #1: Type: text/plain, Size: 1122 bytes --]

On Thu, 16 Apr 2026 08:34:11 +0200
Jonas Gorski <jonas.gorski@gmail.com> wrote:
> > diff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c
> > index XXXXXXX..XXXXXXX 100644
> > --- a/drivers/net/wireless/broadcom/b43/xmit.c
> > +++ b/drivers/net/wireless/broadcom/b43/xmit.c
> > @@ -704,7 +704,10 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr)
> >                  */
> >                 keyidx = b43_kidx_to_raw(dev, keyidx);
> > -               B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
> > +               if (keyidx >= ARRAY_SIZE(dev->key)) {
> > +                       b43dbg(dev->wl, "RX: invalid key index %u\n", keyidx);
> > +                       goto drop;
> > +               }  
> 
> B43_WARN_ON() returns the condition's result, so if you keep it you
> can shorten this to
> 
> if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)))
>         goto drop;

Acked-by: Michael Büsch <m@bues.ch>

Please also check the b43legacy driver. It may contain exactly the same code.

-- 
Michael Büsch
https://bues.ch/

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]