[PATCH v3 0/5] wifi: rsi: firmware trust boundary hardening

[PATCH v3 0/5] wifi: rsi: firmware trust boundary hardening

[Tristan Madani]

From: Tristan Madani <tristan@talencesecurity.com>

This series adds missing bounds checks for firmware-controlled fields
in the RSI 91x driver (rsi_91x_main.c, rsi_91x_core.c, rsi_91x_mgmt.c).

Each patch addresses a specific field that the firmware can set to an
out-of-range value, causing OOB reads or infinite loops in the host
driver.

Changes in v3:
  - Regenerated from wireless-next with proper git format-patch to
    produce valid index hashes and clean diffs (v2 had post-processed
    index lines that prevented git-am application).

Changes in v2:
  - Clarify firmware trust model in commit messages.

Tristan Madani (5):
  wifi: rsi: fix integer underflow from firmware extended_desc in
    rsi_prepare_skb()
  wifi: rsi: fix OOB read from firmware-claimed length exceeding actual
    frame size
  wifi: rsi: fix OOB read from firmware pad_bytes in management RX path
  wifi: rsi: fix infinite loop when firmware sends zero-length packet
  wifi: rsi: fix OOB read from firmware offset field in SDIO RX path

 drivers/net/wireless/rsi/rsi_91x_main.c | 20 ++++++++++++++++++++
 drivers/net/wireless/rsi/rsi_91x_mgmt.c |  6 ++++++
 2 files changed, 26 insertions(+)

-- 
2.47.3

[PATCH v3 1/5] wifi: rsi: fix integer underflow from firmware extended_desc in rsi_prepare_skb()

[Tristan Madani]

From: Tristan Madani <tristan@talencesecurity.com>

The firmware-controlled extended_desc value is subtracted from pkt_len
without bounds checking. When extended_desc exceeds pkt_len, the u32
subtraction wraps, causing either a failed allocation (DoS) or an
out-of-bounds heap read via the subsequent memcpy from buffer +
payload_offset. Both SDIO and USB paths are affected.

Add a bounds check to reject packets where extended_desc exceeds
pkt_len.

Fixes: dad0d04fa7ba ("rsi: data and management rx path")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
  - Regenerated from wireless-next with proper git format-patch to
    produce valid index hashes (v2 had post-processed index lines).

Changes in v2:
  - No code changes from v1.

 drivers/net/wireless/rsi/rsi_91x_main.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless/rsi/rsi_91x_main.c
index 662e42d1e5e8d..2ff7068bad7a7 100644
--- a/drivers/net/wireless/rsi/rsi_91x_main.c
+++ b/drivers/net/wireless/rsi/rsi_91x_main.c
@@ -134,6 +134,11 @@ static struct sk_buff *rsi_prepare_skb(struct rsi_common *common,
 		pkt_len = RSI_RCV_BUFFER_LEN * 4;
 	}
 
+	if (extended_desc > pkt_len) {
+		rsi_dbg(ERR_ZONE, "%s: extended_desc %u > pkt_len %u\n",
+			__func__, extended_desc, pkt_len);
+		return NULL;
+	}
 	pkt_len -= extended_desc;
 	skb = dev_alloc_skb(pkt_len + FRAME_DESC_SZ);
 	if (skb == NULL)
-- 
2.47.3

[PATCH v3 2/5] wifi: rsi: fix OOB read from firmware-claimed length exceeding actual frame size

[Tristan Madani]

From: Tristan Madani <tristan@talencesecurity.com>

The firmware-controlled length field (12-bit, up to 4095) from the RX
descriptor is used as the memcpy size in rsi_prepare_skb(). No check
ensures this claimed length fits within the actual received data.
A malicious or malfunctioning firmware can cause out-of-bounds reads
past the RX buffer, leaking kernel heap contents into skbs delivered
to mac80211.

Add a bounds check in rsi_read_pkt() to reject frames where offset +
length exceeds actual_length.

Fixes: dad0d04fa7ba ("rsi: data and management rx path")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
  - Regenerated from wireless-next with proper git format-patch to
    produce valid index hashes (v2 had post-processed index lines).

Changes in v2:
  - No code changes from v1.

 drivers/net/wireless/rsi/rsi_91x_main.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless/rsi/rsi_91x_main.c
index 2ff7068bad7a7..9901bd53cc844 100644
--- a/drivers/net/wireless/rsi/rsi_91x_main.c
+++ b/drivers/net/wireless/rsi/rsi_91x_main.c
@@ -181,6 +181,12 @@ int rsi_read_pkt(struct rsi_common *common, u8 *rx_pkt, s32 rcv_pkt_len)
 		queueno = rsi_get_queueno(frame_desc, offset);
 		length = rsi_get_length(frame_desc, offset);
 
+		if (offset + length > actual_length) {
+			rsi_dbg(ERR_ZONE,
+				"%s: frame overflows: offset %u + len %u > actual %u\n",
+				__func__, offset, length, actual_length);
+			goto fail;
+		}
 		/* Extended descriptor is valid for WLAN queues only */
 		if (queueno == RSI_WIFI_DATA_Q || queueno == RSI_WIFI_MGMT_Q)
 			extended_desc = rsi_get_extended_desc(frame_desc,
-- 
2.47.3

[PATCH v3 3/5] wifi: rsi: fix OOB read from firmware pad_bytes in management RX path

[Tristan Madani]

From: Tristan Madani <tristan@talencesecurity.com>

The firmware-controlled pad_bytes value (u8, from descriptor byte 4) is
used to shift the skb_put_data() source pointer forward in
rsi_mgmt_pkt_to_core(). While the existing msg_len -= pad_bytes check
catches the case where pad_bytes >= msg_len, it does not prevent a large
pad_bytes from shifting the read window into heap memory beyond the
actual packet data. The resulting kernel heap contents are delivered to
mac80211 as a management frame.

Add validation that pad_bytes does not exceed half of msg_len. Alignment
padding in 802.11 management frames is typically 0-3 bytes, so any
value exceeding msg_len / 2 indicates a corrupted descriptor.

Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
  - Regenerated from wireless-next with proper git format-patch to
    produce valid index hashes (v2 had post-processed index lines).

Changes in v2:
  - No code changes from v1.

 drivers/net/wireless/rsi/rsi_91x_mgmt.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/rsi/rsi_91x_mgmt.c b/drivers/net/wireless/rsi/rsi_91x_mgmt.c
index 7f2c1608f2ce3..ebbc2a43ddfa6 100644
--- a/drivers/net/wireless/rsi/rsi_91x_mgmt.c
+++ b/drivers/net/wireless/rsi/rsi_91x_mgmt.c
@@ -490,6 +490,12 @@ static int rsi_mgmt_pkt_to_core(struct rsi_common *common,
 	u8 pad_bytes = msg[4];
 	struct sk_buff *skb;
 
+	if (pad_bytes > msg_len / 2) {
+		rsi_dbg(MGMT_RX_ZONE,
+			"%s: pad_bytes %u too large for msg_len %d\n",
+			__func__, pad_bytes, msg_len);
+		return -EINVAL;
+	}
 	if (!adapter->sc_nvifs)
 		return -ENOLINK;
 
-- 
2.47.3

[PATCH v3 5/5] wifi: rsi: fix OOB read from firmware offset field in SDIO RX path

[Tristan Madani]

From: Tristan Madani <tristan@talencesecurity.com>

The firmware-controlled offset field in rsi_read_pkt() is validated only
when rcv_pkt_len is zero (USB path). For the SDIO path, rcv_pkt_len is
always positive, so the check is skipped entirely. A crafted offset can
cause out-of-bounds reads past the 8192-byte pktbuffer when computing
queue number, length, extended descriptor, and data pointers.

Add a transport-independent bounds check to reject offset values that
exceed the frame's actual_length.

Fixes: dad0d04fa7ba ("rsi: data and management rx path")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
  - Regenerated from wireless-next with proper git format-patch.

Changes in v2:
  - New patch in v2, not present in v1.

 drivers/net/wireless/rsi/rsi_91x_main.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless/rsi/rsi_91x_main.c
index eb950e862ecf1..bc03066a240c1 100644
--- a/drivers/net/wireless/rsi/rsi_91x_main.c
+++ b/drivers/net/wireless/rsi/rsi_91x_main.c
@@ -180,6 +180,12 @@ int rsi_read_pkt(struct rsi_common *common, u8 *rx_pkt, s32 rcv_pkt_len)
 		if (!rcv_pkt_len && offset >
 			RSI_MAX_RX_USB_PKT_SIZE - FRAME_DESC_SZ)
 			goto fail;
+		if (offset > actual_length) {
+			rsi_dbg(ERR_ZONE,
+				"%s: offset %u exceeds length %u\n",
+				__func__, offset, actual_length);
+			goto fail;
+		}
 
 		queueno = rsi_get_queueno(frame_desc, offset);
 		length = rsi_get_length(frame_desc, offset);
-- 
2.47.3