* [PATCH] net: wwan: t7xx: validate control-message data_length against the skb
@ 2026-07-11 7:13 Doruk Tan Ozturk
2026-07-16 17:17 ` Simon Horman
0 siblings, 1 reply; 2+ messages in thread
From: Doruk Tan Ozturk @ 2026-07-11 7:13 UTC (permalink / raw)
To: Chandrashekar Devegowda, Ricardo Martinez
Cc: Liu Haijun, Loic Poulain, Sergey Ryazanov, Johannes Berg, netdev,
linux-kernel, stable
control_msg_handler() handles a CTL_ID_HS2_MSG control message by pulling
the ctrl_msg_header and passing the modem-supplied data_length as the
length of the handshake-2 payload to t7xx_fsm_append_event():
ret = t7xx_fsm_append_event(ctl, event, skb->data,
le32_to_cpu(ctrl_msg_h->data_length));
data_length is a device-controlled __le32 that is never bounded against
the actual received payload (skb->len after the pull).
t7xx_fsm_append_event() then does memcpy(event->data, data, length) with
skb->data as the source, so a data_length larger than the payload reads
out of bounds past the control skb (the destination is sized to length,
so only the source over-reads). A compromised or malfunctioning modem can
trigger it during the bring-up handshake; both the modem and AP control
ports reach the same call site.
Reject a data_length that exceeds the received payload.
Found by 0sec (https://0sec.ai) using automated source analysis; the
missing bound is evident from source. Compile-tested.
Fixes: da45d2566a1d ("net: wwan: t7xx: Add control port")
Cc: stable@vger.kernel.org
Assisted-by: 0sec:claude-opus-4-8
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c b/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c
index f869e4ed9ee9..871ed63d3c4d 100644
--- a/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c
+++ b/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c
@@ -186,10 +186,15 @@ static int control_msg_handler(struct t7xx_port *port, struct sk_buff *skb)
int event = port_conf->rx_ch == PORT_CH_CONTROL_RX ?
FSM_EVENT_MD_HS2 : FSM_EVENT_AP_HS2;
- ret = t7xx_fsm_append_event(ctl, event, skb->data,
- le32_to_cpu(ctrl_msg_h->data_length));
- if (ret)
- dev_err(port->dev, "Failed to append Handshake 2 event");
+ if (le32_to_cpu(ctrl_msg_h->data_length) > skb->len) {
+ dev_err(port->dev, "Invalid Handshake 2 data length\n");
+ ret = -EINVAL;
+ } else {
+ ret = t7xx_fsm_append_event(ctl, event, skb->data,
+ le32_to_cpu(ctrl_msg_h->data_length));
+ if (ret)
+ dev_err(port->dev, "Failed to append Handshake 2 event");
+ }
}
dev_kfree_skb_any(skb);
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] net: wwan: t7xx: validate control-message data_length against the skb
2026-07-11 7:13 [PATCH] net: wwan: t7xx: validate control-message data_length against the skb Doruk Tan Ozturk
@ 2026-07-16 17:17 ` Simon Horman
0 siblings, 0 replies; 2+ messages in thread
From: Simon Horman @ 2026-07-16 17:17 UTC (permalink / raw)
To: doruk
Cc: Simon Horman, chandrashekar.devegowda, ricardo.martinez,
haijun.liu, loic.poulain, ryazanov.s.a, johannes, netdev,
linux-kernel, stable
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
--- Patch [1]: [PATCH] net: wwan: t7xx: validate control-message data_length against the skb ---
commit d01ff7bcea9777a110312cfd4a96824ff782a70a
Author: Doruk Tan Ozturk <doruk@0sec.ai>
net: wwan: t7xx: validate control-message data_length against the skb
control_msg_handler() handles a CTL_ID_HS2_MSG control message by pulling
the ctrl_msg_header and passing the modem-supplied data_length as the
length of the handshake-2 payload to t7xx_fsm_append_event(). This commit
rejects a data_length that exceeds the received payload.
> diff --git a/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c b/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c
> index f869e4ed9ee9a..871ed63d3c4d2 100644
> --- a/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c
> +++ b/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c
> @@ -186,10 +186,15 @@ static int control_msg_handler(struct t7xx_port *port, struct sk_buff *skb)
> int event = port_conf->rx_ch == PORT_CH_CONTROL_RX ?
> FSM_EVENT_MD_HS2 : FSM_EVENT_AP_HS2;
>
> - ret = t7xx_fsm_append_event(ctl, event, skb->data,
> - le32_to_cpu(ctrl_msg_h->data_length));
> - if (ret)
> - dev_err(port->dev, "Failed to append Handshake 2 event");
> + if (le32_to_cpu(ctrl_msg_h->data_length) > skb->len) {
> + dev_err(port->dev, "Invalid Handshake 2 data length\n");
> + ret = -EINVAL;
> + } else {
> + ret = t7xx_fsm_append_event(ctl, event, skb->data,
> + le32_to_cpu(ctrl_msg_h->data_length));
> + if (ret)
> + dev_err(port->dev, "Failed to append Handshake 2 event");
> + }
> }
>
> dev_kfree_skb_any(skb);
[Severity: High]
This is a pre-existing issue, but I noticed that earlier in this function
we call skb_pull() without validating the header size against skb->len:
drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c:control_msg_handler() {
...
ctrl_msg_h = (struct ctrl_msg_header *)skb->data;
switch (le32_to_cpu(ctrl_msg_h->ctrl_msg_id)) {
case CTL_ID_HS2_MSG:
skb_pull(skb, sizeof(*ctrl_msg_h));
...
}
Because skb_pull() fails silently if the length is insufficient, could this
lead to out-of-bounds reads and processing of uninitialized memory if the
modem sends a packet smaller than sizeof(struct ctrl_msg_header)?
I found a similar pattern in t7xx_port_proxy_recv_skb() where we read
ccci_header and call skb_pull() without checking if skb->len is large enough:
drivers/net/wwan/t7xx/t7xx_port_proxy.c:t7xx_port_proxy_recv_skb() {
...
struct ccci_header *ccci_h = (struct ccci_header *)skb->data;
...
channel = FIELD_GET(CCCI_H_CHN_FLD, le32_to_cpu(ccci_h->status));
...
skb_pull(skb, sizeof(*ccci_h));
...
}
[Severity: High]
This isn't a bug introduced by this patch, but I found an issue in the
HIF CLDMA receive path where an unchecked modem-provided length is passed
directly to skb_put():
drivers/net/wwan/t7xx/t7xx_hif_cldma.c:t7xx_cldma_gpd_rx_from_q() {
...
skb_put(skb, le16_to_cpu(gpd->data_buff_len));
...
}
If the modem provides a gpd->data_buff_len larger than the dynamically
allocated SKB's tailroom, wouldn't this trigger an skb_over_panic() and
cause a system denial of service?
[Severity: High]
This is a pre-existing issue, but it looks like we might be missing a read
memory barrier in the same receive path:
drivers/net/wwan/t7xx/t7xx_hif_cldma.c:t7xx_cldma_gpd_rx_from_q() {
...
if ((gpd->flags & GPD_FLAGS_HWO) || !req->skb) {
...
}
...
skb_put(skb, le16_to_cpu(gpd->data_buff_len));
...
}
Since we poll for the hardware ownership flag (GPD_FLAGS_HWO) and then
read the data_buff_len without an intervening dma_rmb(), could the CPU
speculatively reorder the read of the descriptor's payload fields to occur
before the ownership flag check is globally visible?
[Severity: High]
This isn't a bug introduced by this patch, but I noticed a missing write
memory barrier in the transmission path when setting the ownership flag:
drivers/net/wwan/t7xx/t7xx_hif_cldma.c:t7xx_cldma_gpd_handle_tx_request() {
...
gpd->data_buff_len = cpu_to_le16(skb->len);
spin_lock_irqsave(&md_ctrl->cldma_lock, flags);
if (md_ctrl->txq_active & BIT(queue->index))
gpd->flags |= GPD_FLAGS_HWO;
...
}
Because spin_lock_irqsave() only provides ACQUIRE semantics, could the
memory writes for data_buff_len be delayed past the lock and become
visible to the hardware after the GPD_FLAGS_HWO flag is set?
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-16 17:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-11 7:13 [PATCH] net: wwan: t7xx: validate control-message data_length against the skb Doruk Tan Ozturk
2026-07-16 17:17 ` Simon Horman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox