From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qt1-f181.google.com (mail-qt1-f181.google.com [209.85.160.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A2DC747DFA7 for ; Fri, 15 May 2026 12:12:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778847148; cv=none; b=pLsxQh0vVXvkm79mGZLbilnx1GkIDO6Vd88jL0maKYB4qnG5CxIW66iDN7jivSZyFEGBUwO7QRMNCqbAJIQJqFBPgIGJczUZFw3JBbrW2AFTbAahIPgh6njrAYpLDJXtkOnBYW+K00ynuKHLXzV7XQDiaHyfdxBsh1dgH8FMuV8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778847148; c=relaxed/simple; bh=RRVW5gI8kawSQB508g7+8wnVnUFJGZvy97oFovd7pBM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=da0CYudwiotY9B+QGyXS4BfVHjkyK88FmO1k3PblUbb9AYukZS4LgrbqY6TXSEFUyFiYE63Wsx5rrypjDD6qP4YtsSZwqhyu+Fhu0gDob0RE1lty8RX7sVO9xjijvq4ZlZpnRsENRz9luHuMZcpDggzHdlMUSKZ/yljHZoj/+G0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LIHGvpqn; arc=none smtp.client-ip=209.85.160.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LIHGvpqn" Received: by mail-qt1-f181.google.com with SMTP id d75a77b69052e-50e5c5033f6so63092021cf.0 for ; Fri, 15 May 2026 05:12:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778847146; x=1779451946; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=IvLacU45+J5otIy9HSslIl+VuECz8126ekDqH8/sPwE=; b=LIHGvpqnEZYI0rFG8HaVqjjhJp83KSdV86SZ5tIC+4LUUBVzVXOnkVDkSE3jxoKzpV MCkJ3pyawuxQq8Rt2vxEp+BdIk/IHp4+ckhSwz5irJmAzUkpXmhepbswWh9pa4BIm5VE 7oWX21/H3shZahCtHO4Ee2b9wo2lWerofaag1NOc7mHoe0C3Gn5FjUueO2oEHh/J+Hmi Ft3rfABNHbHJ/d1F0NkB99Y7HdkL7NzeDUFLnSRci5Kb4+KgZ4tDnTHreYViHTIuc5sZ Jeeo7ZFOidBs7btO3C4eNoxLpl1c3kMJYWXB6Ct7U1D8RSpmhYuv4TDdulaLIWtjbZjM t4Jw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778847146; x=1779451946; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=IvLacU45+J5otIy9HSslIl+VuECz8126ekDqH8/sPwE=; b=V4QDkbu9xeiV7YPAD1dsupnWaTRxpi2Q27DkQ99LweKs+NjmRI+HCYKkCsTcmUEKV9 fHQfgkbkfiJuCYy/JYe/2QST3WZ5+O6wRB7Cfk4mqT/jRnPVuzeJvL5qUqmVLilhoimR 3hrC/1BIEzQflHEKxokp7vDtcLtkdcqjQBagj7qpR9lF41SAN7GLBWftuWXGBHGEsFnZ 4hi+WmxH0wBUZl0MbGqrUDQUKj26ZJ/5uP+iyrClnFq6tVlQg1H7DP3tRBTj/ssSsDK7 qNVU/qhfk629I+8c/KRwt+8DZzTLEefNm6pgackBEdVcfaydMjXAJhxSD+7Ft1hrw1lV jSog== X-Forwarded-Encrypted: i=1; AFNElJ9b+yW/eWOJyfMWEqY5V2aGygEX4H2HFaknXIswExZfP8HnIpC0zXXDU2sBe9Xs6/X6hNOcpkZYkK2hAfQ=@vger.kernel.org X-Gm-Message-State: AOJu0YxDDImJXSOHuo3o8iu1yn3rLSFqT/f+2DncwQlEsUiANUWrxPEq zU14nM3zqEhh7V400zeHKyQt+ZVHwtCpBLmM9WPBNA+1NUa8mCvlTza3 X-Gm-Gg: Acq92OE/xsMLMxCan+79FzweM0mH6CusZqhTH6bTKvAhYmJrXgCCDUKt/wnScF/nLLx nIXzxOwMwK8odxUv2GotNG4DGr0UDknoweVOtOc766ZPy8k1loKn5Gc1ztVKKlTTFYSz7TrUNRl CKe/V+jsf5exMZ2PA/eCsMF1R/spLPtu1urVJFuaGRDtMxJ0e/jJbkufwQUmlF07y6Ykzr2nc6c BbO/G0t/WjR+yLLVnLemnTQBtdjhuv/R0XoimMguQUmso6W+X+8lzUqhdKWqdkG4aID3qxHh0Yz Rbmbbuf03xd+8z0JZvVUsEc6Z+sc1d7j0ObOGhSrjRjNYEpujeRTIQbLFFWsgdJa5Z6hVGiUtHt 9Lkx0JV0Wh1iDXthST1rpNL5S5tI3UQ4XZzx+GPop8zfUiXCWkjAXd6dLMmTGf/04gr1RNylyrD vHw2F+2+8ZmLE7p/6hXZmSFO3R8AMWeUCLUHgNtud84e7lkvCPhMU5JCaETRbL7ONKP60R0iRWu QtJmxO9fvuKrsUlhJgedLgao1rwzmaqImSB5BuG9R4VdVB17eqcOQ== X-Received: by 2002:ac8:6909:0:b0:50d:a8f5:1c03 with SMTP id d75a77b69052e-5165a0072f3mr49262241cf.4.1778847145586; Fri, 15 May 2026 05:12:25 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-516456888f6sm45534491cf.3.2026.05.15.05.12.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 May 2026 05:12:25 -0700 (PDT) From: Michael Bommarito To: Miri Korenblit Cc: Johannes Berg , Emmanuel Grumbach , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 1/4] wifi: iwlwifi: mvm: include matches_len in scan-offload-query length check Date: Fri, 15 May 2026 08:10:57 -0400 Message-ID: <20260515121100.649334-2-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260515121100.649334-1-michael.bommarito@gmail.com> References: <20260515121100.649334-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit iwl_mvm_netdetect_query_results() validates the firmware response length against query_len (the fixed-header size of struct iwl_scan_offload_match_info or iwl_scan_offload_profiles_query_v1) but immediately follows with: memcpy(results->matches, query->matches, matches_len); where matches_len is sizeof(struct iwl_scan_offload_profile_match[_v1]) * iwl_umac_scan_get_max_profiles(mvm->fw) and is not included in the guard. A firmware response of exactly query_len bytes therefore satisfies the guard yet the memcpy reads matches_len bytes past the end of the slab-allocated firmware-response buffer. The worst-case extent depends on the firmware path: - v2 layout, SCAN_OFFLOAD_UPDATE_PROFILES_CMD version unknown or < 3: matches_len = 18 * IWL_SCAN_MAX_PROFILES = 198 bytes. - v2 layout, command version >= 3: matches_len = 18 * IWL_SCAN_MAX_PROFILES_V2 = 144 bytes. - v1 layout: matches_len = 16 * IWL_SCAN_MAX_PROFILES = 176 bytes. Reproduced under UML+KASAN via a KUnit harness that lifts the length-validation + memcpy logic into a self-contained test. With the response sized at the v2 query_len (24 bytes of match-info header) and the older-firmware max_profiles path, KASAN reports a slab-out-of-bounds READ of 198 bytes at 0 bytes to the right of a 24-byte allocation in the kmalloc-32 cache. Building drivers/net/wireless/intel/iwlwifi/mvm/d3.o under x86_64 allmodconfig with the fix applied yields no new warnings. The sibling fix iwl_mvm_nd_match_info_handler() was corrected by commit 744fabc338e8 ("wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()"). The present function was missed during that audit; apply the same correction shape. Cc: stable@vger.kernel.org Fixes: e4fe5d4b10cd ("iwlwifi: mvm: Support new format of SCAN_OFFLOAD_PROFILES_QUERY_RSP") Signed-off-by: Michael Bommarito Assisted-by: Claude:claude-opus-4-7 --- drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c index 9a74f60c9185..c17ac62feec3 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c @@ -2458,7 +2458,7 @@ iwl_mvm_netdetect_query_results(struct iwl_mvm *mvm, } len = iwl_rx_packet_payload_len(cmd.resp_pkt); - if (len < query_len) { + if (len < query_len + matches_len) { IWL_ERR(mvm, "Invalid scan offload profiles query response!\n"); ret = -EIO; goto out_free_resp; -- 2.53.0