From nobody Fri Dec 19 15:02:30 2025 Received: from mail-lf1-f46.google.com (mail-lf1-f46.google.com [209.85.167.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 23470303CA0 for ; Fri, 5 Dec 2025 15:45:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764949548; cv=none; b=rgB60+L8gFmdexklXlfMen2yazpPsD96wDrdhiEcb9QsbdZ1K/Z60wQ5Mp4DJpFn3k1uWiD9SkT9OAiWNWUd2GEh6Gowy0K/xeSmrAiLhX609LkJsySAmZq1XOZxj7wmu3GGQyCwKLFPnH4ARXOONWk5ELknMgdFhIqqolDDIac= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764949548; c=relaxed/simple; bh=+Uij/c+hhRUh7KNHXiyStM+eLLPbLJJe16gbEXkk+T0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=R8QEi7MIL7TOerT548/dY0XVdoXdPvC5BJu8drnhSWyjOuaVs+A4FWBkPqgEQEg31oO3QMvCMwCFgctbOdlWCvh1xsQPTO8v3OPD1YR4FFMg8nwSACAZB62SgL535PhlnqlZBxKLzNQ+wLKrz5w1AkQ9BbZrCpcz0Qo+V0VwQMs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gKWQKEM6; arc=none smtp.client-ip=209.85.167.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gKWQKEM6" Received: by mail-lf1-f46.google.com with SMTP id 2adb3069b0e04-59578e38613so2577469e87.2 for ; Fri, 05 Dec 2025 07:45:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764949537; x=1765554337; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=yRu3vn/L5SRaR0SSwrxKoGLCPSzcYT0aQdaJ5FnQFyM=; b=gKWQKEM6j5UY2Q/0gu4oFV/7Kid1gMnllhrO89TqqTPW5T/6lbt+Ys1RexUx7Ck9r7 M7yAtFTHw4x7LSEOM1in8LrwVDe3Z8TlSDzVCjSUDiIJWjViw0VCpVVTO+tPvDx1a5L4 KIhDqPL/XTDXBU6A0NB5DNpKuaZycwb1Rgn7aByuVPBcH6QvbT3dfZRuKjiAnzO9f501 /kIyxDAmWEi1qaCTR++wIkBbNGFaO2EPyxFJMKMiPXg4GSK8A7xaolgbqz3gLNQmQp42 +eKBpNQXCel4Y/jxgWnFqeyllQ2o52XDSFrPLkk27t1N0dSTX+IwzVRMLYj1V5LkMNCm aT2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764949537; x=1765554337; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=yRu3vn/L5SRaR0SSwrxKoGLCPSzcYT0aQdaJ5FnQFyM=; b=M5H/PVc9nBc/hkgXqOTkCatPuZbx85P4Y1fG1t9md1Ls0curxOPPkPctW+/wDXf3ok CJLVFn0swpnojXOdmUDS2WAhG8h+Q60bLt9/IjE7pIbZT9eElnQ2LzxwYH1DR/Dsd0cL KRDf0xv8Hpdd8RDMvvtveA6QPj77aGjRqgnHnJGsvVrnT8fK8+wrBtutReTKaJLi/oTH 9U+6TbKgKeKSqOEDnpI9p1hU3yqqvf6x4mmY/2Ab7ap9UbHSJ/dO+VaFde/wEQf8IpVG SMPZtrt+sAs/8S2GfmNwac55XkAKolTCSeWFlr/YyCJaEuyKQ6shn3T9ZlGYkiIUqH+K FzqQ== X-Forwarded-Encrypted: i=1; AJvYcCU4f9zZzq+G0kmGNDCOACzAV91iSzddL+n80AgVkurKAodKGmxf7B+BNqMPqjWbzZzZ0xFFvNOqUoFhvqY=@vger.kernel.org X-Gm-Message-State: AOJu0YxfYf/CktkygtFXtXOyl8zxwESAMYcsuxrMVzyavAvRqf7juPS4 0xScj4mLJryFG4e548t1p1QB/CAAuK8NG7P2N74e5LpWdwVQ8Ubv5Jx4 X-Gm-Gg: ASbGncuaLSFH9MhtLZn9Paub0aZWmcYNtwjV80EXJiIW9jt34TyhmLBLKuIL8R/qu5p fVN0OnVE4VTXlETUZ1/JP/XccpJXJtlmxPUB3btqds/844QaJwKTzKX5NRS8f71H+6nqDf4kd9S i3ttNmxsVul43RGhTTVVRjBz8Za2gMnU2bq5Q9tqg49Qck+4c0G3zPYM2FsJeCjvlilJhyjFwkL vD76WRvqy/s391bEqNdMYbH6Gt3+AZoD8x8li1ww+efsppWAf9rYxlUzirG1HuibQCYdhe7nZY8 ukOIy89+Li4nJkvwr6PustHAMd4febcqeNYjv+hhfs0QcuLroKAE37oy9N9BPn5znBeDoyKZMLv bf+vKaTnfN3P0D4xZlBuB9+N033rDPRqXI9Wyu6Lrt3rNMSGSQy23zdsIUFqYQBRFw1AeixkdrW E6uTzpQbbsitaPGPtlHsnebw== X-Google-Smtp-Source: AGHT+IEuOdjJ6eVJfcxdzeuAE6q+1nDIVgt3bm5mPBvJGVsrRtI1D3I0YRQqf1Y/gNOXYRySnPP9ng== X-Received: by 2002:a05:6512:3b9d:b0:594:55ab:5800 with SMTP id 2adb3069b0e04-597d66c8175mr2515414e87.30.1764949537099; Fri, 05 Dec 2025 07:45:37 -0800 (PST) Received: from localhost ([188.234.148.119]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-597d7c2e93esm1624775e87.97.2025.12.05.07.45.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Dec 2025 07:45:35 -0800 (PST) From: Mikhail Gavrilov To: Mario Limonciello Cc: Felix Fietkau , Lorenzo Bianconi , linux-wireless@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org, Mikhail Gavrilov Subject: [PATCH] [PATCH] wifi: mt76: Fix strscpy buffer overflow in mt76_connac2_load_patch Date: Fri, 5 Dec 2025 20:45:32 +0500 Message-ID: <20251205154532.27704-1-mikhail.v.gavrilov@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Commit f804a5895eba ("wifi: mt76: Strip whitespace from build ddate") intro= duced a kernel panic/WARN on systems using MediaTek MT7921e (and potentially othe= rs using mt76_connac_lib) due to an incorrect buffer size calculation. The error logged is: "strnlen: detected buffer overflow: 17 byte read of buffer size 16" This occurs because the field 'hdr->build_date' is a fixed-size array of 16= bytes. The patch allocated a 17-byte local buffer 'build_date' but used 'sizeof(bu= ild_date)' (17) as the read limit for strscpy, causing Fortify Source to correctly det= ect an attempt to read 17 bytes from the 16-byte source field. To fix this, replace strscpy with memcpy, which is appropriate for raw data copying, and explicitly use the size of the source field (sizeof(hdr->build= _date) =3D 16) to limit the read, followed by manual null termination. Fixes: f804a5895eba ("wifi: mt76: Strip whitespace from build ddate") Signed-off-by: Mikhail Gavrilov --- drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers= /net/wireless/mediatek/mt76/mt76_connac_mcu.c index ea99167765b0..d2c4c65ec464 100644 --- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c @@ -3125,8 +3125,11 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, co= nst char *fw_name) } =20 hdr =3D (const void *)fw->data; - strscpy(build_date, hdr->build_date, sizeof(build_date)); - build_date[16] =3D '\0'; + /* hdr->build_date is 16 bytes. Copy exactly 16 bytes to the 17-byte buff= er, + * and then add the null terminator at index 16. + */ + memcpy(build_date, hdr->build_date, sizeof(hdr->build_date)); + build_date[sizeof(hdr->build_date)] =3D '\0'; strim(build_date); dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n", be32_to_cpu(hdr->hw_sw_ver), build_date); --=20 2.52.0