* [PATCH v3 0/3] wifi: ath6kl: firmware trust boundary hardening
@ 2026-04-21 13:50 Tristan Madani
2026-04-21 13:50 ` [PATCH v3 1/3] wifi: ath6kl: fix OOB access from firmware ADDBA window size Tristan Madani
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Tristan Madani @ 2026-04-21 13:50 UTC (permalink / raw)
To: Johannes Berg; +Cc: linux-wireless, linux-kernel, Tristan Madani
From: Tristan Madani <tristan@talencesecurity.com>
This series adds missing bounds checks for firmware-controlled fields
in the Qualcomm ath6kl driver.
Patch 1 returns early on invalid ADDBA window size. Patch 2 validates
connect event IE lengths. Patch 3 checks TX complete handler num_msg.
Changes in v3:
- Regenerated from wireless-next with proper git format-patch.
Changes in v2:
- No code changes from v1.
Tristan Madani (3):
wifi: ath6kl: fix OOB access from firmware ADDBA window size
wifi: ath6kl: fix OOB read from firmware IE lengths in connect event
wifi: ath6kl: fix OOB read from firmware num_msg in TX complete
handler
drivers/net/wireless/ath/ath6kl/txrx.c | 4 +++-
drivers/net/wireless/ath/ath6kl/wmi.c | 14 ++++++++++++++
2 files changed, 17 insertions(+), 1 deletion(-)
--
2.47.3
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v3 1/3] wifi: ath6kl: fix OOB access from firmware ADDBA window size
2026-04-21 13:50 [PATCH v3 0/3] wifi: ath6kl: firmware trust boundary hardening Tristan Madani
@ 2026-04-21 13:50 ` Tristan Madani
2026-04-21 13:50 ` [PATCH v3 2/3] wifi: ath6kl: fix OOB read from firmware IE lengths in connect event Tristan Madani
2026-04-21 13:50 ` [PATCH v3 3/3] wifi: ath6kl: fix OOB read from firmware num_msg in TX complete handler Tristan Madani
2 siblings, 0 replies; 4+ messages in thread
From: Tristan Madani @ 2026-04-21 13:50 UTC (permalink / raw)
To: Johannes Berg; +Cc: linux-wireless, linux-kernel, Tristan Madani
From: Tristan Madani <tristan@talencesecurity.com>
aggr_recv_addba_req_evt() logs a debug message when the firmware-supplied
win_sz is outside [AGGR_WIN_SZ_MIN, AGGR_WIN_SZ_MAX] but does not
return. The out-of-range win_sz is then used in TID_WINDOW_SZ() to
compute a kzalloc size and stored in rxtid->hold_q_sz, leading to
zero-size or overflowed allocations and subsequent OOB access.
Return early when win_sz is out of the valid range.
Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
- Regenerated from wireless-next with proper git format-patch to
produce valid index hashes (v2 had post-processed index lines).
Changes in v2:
- No code changes from v1.
drivers/net/wireless/ath/ath6kl/txrx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath6kl/txrx.c b/drivers/net/wireless/ath/ath6kl/txrx.c
index 97fdac7237e26..5575b535f94cd 100644
--- a/drivers/net/wireless/ath/ath6kl/txrx.c
+++ b/drivers/net/wireless/ath/ath6kl/txrx.c
@@ -1723,9 +1723,11 @@ void aggr_recv_addba_req_evt(struct ath6kl_vif *vif, u8 tid_mux, u16 seq_no,
rxtid = &aggr_conn->rx_tid[tid];
- if (win_sz < AGGR_WIN_SZ_MIN || win_sz > AGGR_WIN_SZ_MAX)
+ if (win_sz < AGGR_WIN_SZ_MIN || win_sz > AGGR_WIN_SZ_MAX) {
ath6kl_dbg(ATH6KL_DBG_WLAN_RX, "%s: win_sz %d, tid %d\n",
__func__, win_sz, tid);
+ return;
+ }
if (rxtid->aggr)
aggr_delete_tid_state(aggr_conn, tid);
--
2.47.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v3 2/3] wifi: ath6kl: fix OOB read from firmware IE lengths in connect event
2026-04-21 13:50 [PATCH v3 0/3] wifi: ath6kl: firmware trust boundary hardening Tristan Madani
2026-04-21 13:50 ` [PATCH v3 1/3] wifi: ath6kl: fix OOB access from firmware ADDBA window size Tristan Madani
@ 2026-04-21 13:50 ` Tristan Madani
2026-04-21 13:50 ` [PATCH v3 3/3] wifi: ath6kl: fix OOB read from firmware num_msg in TX complete handler Tristan Madani
2 siblings, 0 replies; 4+ messages in thread
From: Tristan Madani @ 2026-04-21 13:50 UTC (permalink / raw)
To: Johannes Berg; +Cc: linux-wireless, linux-kernel, Tristan Madani
From: Tristan Madani <tristan@talencesecurity.com>
The firmware-controlled beacon_ie_len, assoc_req_len, and assoc_resp_len
fields in ath6kl_wmi_connect_event_rx() are not validated against the
buffer length. Their sum (up to 765) can exceed the actual WMI event
data, causing out-of-bounds reads during IE parsing and state corruption
of wmi->is_wmm_enabled.
Add a check that the total IE length fits within the buffer.
Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
- Regenerated from wireless-next with proper git format-patch to
produce valid index hashes (v2 had post-processed index lines).
Changes in v2:
- No code changes from v1.
drivers/net/wireless/ath/ath6kl/wmi.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
index 72611a2ceb9d8..1cafbac2938fe 100644
--- a/drivers/net/wireless/ath/ath6kl/wmi.c
+++ b/drivers/net/wireless/ath/ath6kl/wmi.c
@@ -862,6 +862,14 @@ static int ath6kl_wmi_connect_event_rx(struct wmi *wmi, u8 *datap, int len,
ev = (struct wmi_connect_event *) datap;
+ if (len < sizeof(*ev) + ev->beacon_ie_len +
+ ev->assoc_req_len + ev->assoc_resp_len) {
+ ath6kl_dbg(ATH6KL_DBG_WMI,
+ "connect event: IE lengths %u+%u+%u exceed buffer %d\n",
+ ev->beacon_ie_len, ev->assoc_req_len,
+ ev->assoc_resp_len, len);
+ return -EINVAL;
+ }
if (vif->nw_type == AP_NETWORK) {
/* AP mode start/STA connected event */
struct net_device *dev = vif->ndev;
--
2.47.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v3 3/3] wifi: ath6kl: fix OOB read from firmware num_msg in TX complete handler
2026-04-21 13:50 [PATCH v3 0/3] wifi: ath6kl: firmware trust boundary hardening Tristan Madani
2026-04-21 13:50 ` [PATCH v3 1/3] wifi: ath6kl: fix OOB access from firmware ADDBA window size Tristan Madani
2026-04-21 13:50 ` [PATCH v3 2/3] wifi: ath6kl: fix OOB read from firmware IE lengths in connect event Tristan Madani
@ 2026-04-21 13:50 ` Tristan Madani
2 siblings, 0 replies; 4+ messages in thread
From: Tristan Madani @ 2026-04-21 13:50 UTC (permalink / raw)
To: Johannes Berg; +Cc: linux-wireless, linux-kernel, Tristan Madani
From: Tristan Madani <tristan@talencesecurity.com>
The firmware-controlled num_msg field (u8, 0-255) drives the loop in
ath6kl_wmi_tx_complete_event_rx() without validation against the buffer
length. This allows out-of-bounds reads of up to 1020 bytes past the
WMI event buffer when the firmware sends an inflated num_msg.
Add a check that the buffer is large enough to hold num_msg entries.
Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
- Regenerated from wireless-next with proper git format-patch to
produce valid index hashes (v2 had post-processed index lines).
Changes in v2:
- No code changes from v1.
drivers/net/wireless/ath/ath6kl/wmi.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
index 1cafbac2938fe..f56722c5ef5f1 100644
--- a/drivers/net/wireless/ath/ath6kl/wmi.c
+++ b/drivers/net/wireless/ath/ath6kl/wmi.c
@@ -484,6 +484,12 @@ static int ath6kl_wmi_tx_complete_event_rx(u8 *datap, int len)
evt = (struct wmi_tx_complete_event *) datap;
+ if (len < sizeof(*evt) ||
+ len < sizeof(*evt) + evt->num_msg * sizeof(struct tx_complete_msg_v1)) {
+ ath6kl_dbg(ATH6KL_DBG_WMI, "tx complete: invalid len %d for %u msgs\n",
+ len, evt->num_msg);
+ return -EINVAL;
+ }
ath6kl_dbg(ATH6KL_DBG_WMI, "comp: %d %d %d\n",
evt->num_msg, evt->msg_len, evt->msg_type);
--
2.47.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-21 13:50 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-21 13:50 [PATCH v3 0/3] wifi: ath6kl: firmware trust boundary hardening Tristan Madani
2026-04-21 13:50 ` [PATCH v3 1/3] wifi: ath6kl: fix OOB access from firmware ADDBA window size Tristan Madani
2026-04-21 13:50 ` [PATCH v3 2/3] wifi: ath6kl: fix OOB read from firmware IE lengths in connect event Tristan Madani
2026-04-21 13:50 ` [PATCH v3 3/3] wifi: ath6kl: fix OOB read from firmware num_msg in TX complete handler Tristan Madani
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox