From nobody Tue Jun 16 03:46:45 2026 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6FC69386C06 for ; Wed, 15 Apr 2026 22:23:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291793; cv=none; b=TVU7QiyjCtOcP/qPfSO7i+A6Jh0kAifDUIMEBO/wMBpKwlvGQ/Z9CaHFjkVJa2xqcS8ueS8ysYyjbpBJPqavV2FwnvEkkja2Cqtis8/eSg++Vg+WuU+zBvo4JrHyLmIdxfD2T924jq2rCGld6BH3qMyY8lsqmd1c4Bf83C6dewQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291793; c=relaxed/simple; bh=Hl94he1fun++YWYxVogzMwsqsSbDio9MCYmizZeSo6g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=INbOFTlJuAz4O0ZBfsaTXFqbN6XWE6cRnWVcsaD2ZvhTSfb5ucvL4pSpTFmp02nVD1y4hzCPq0F4CuzHtZuftLArYaeNuKOk1Nj7cuXgXUi5BKneH9gNi1G1bAYFSxvGciww6tVItc0ZnYVmgyoqg0ZakxGIzkVV1yjtQ+luXKg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jrs4dZUL; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jrs4dZUL" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4887fd35e60so50976675e9.2 for ; Wed, 15 Apr 2026 15:23:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291790; x=1776896590; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=m1etLtsg1/Vn+zBkkki6OEX9FiWilfcXEV7/dAKCeTU=; b=jrs4dZULWVIgGYzfLKbn8VHAb9fJITiFE3kybky2/h3E6Qhv+/prqwb9UuoVzrC8H0 4otIDNwDY0XkFcxBpdONljW00+nUKgj2wIL0qgLRTaWX1xJrhtl0EBi9fOkT9FaabG6g +TvM/k3X2e1UrewYET9IpTtbPEahfMnIUJgPNmi17F1BXxmYJgrCZcrSZaux/Ql4ejq4 DgNgzOaq/gAtk0JUc2+zbVvMq/ZfkiPEE6z3uOTslg9yyciCFMgjrYpZsnlD26AR/MA4 HNj66O+DwFCi2ncx7M7WwXfZbehTIca0cDuVeUU1/vDRjwndkHm8vMKfvk9lnYDNYM8l NG+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291790; x=1776896590; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=m1etLtsg1/Vn+zBkkki6OEX9FiWilfcXEV7/dAKCeTU=; b=EReZoGeIprg1vBiANYBQrJ1TTR4brSaYOJ14XVLeQU3bZcD67wazwJm9Hfk27J/TtU 3JXoYNMPY6pj7MO3hQ1yn1G7s+yI9ooSN5hsLXC71oIQBH54FvYW1g9VlSLtSoOV2BwC bMldn2sdlJKo3DF+TCG46CUqqhKonmTi0QKox6/L0y5SOyefN+OHGF5DcLjGiduwTPMy YqniGPQoZYbx2tyfl9ls1pGdJxF3PYSCYIEWJz0T+hsHhZwv7i4F0DI5lqofTBegt2sk KXdB7f5BTyojQcT+SG32bVYLAXlaDguGSpCulGYyPCRGRUTy5loYTRtyJFxn/bfOUYFV ykxw== X-Forwarded-Encrypted: i=1; AFNElJ+j1M+nbVYm+iDMhh9gOxz1XPDPhk29CYZ4/b8Zlll691sbYNd2tq1WQnFi86tNsivCQtLuSLFwdvmBuEY=@vger.kernel.org X-Gm-Message-State: AOJu0YxE+In4eB1UsPRyOSUlALDCT5h1YSupti9QdDXf1LF4FpXScf6j H85jbKEpavIVOWRQErGPfEPSi7/oc1kAdWLaVDPx4HOlho4I17atyQGlB+JDAqDV9A== X-Gm-Gg: AeBDieunElaYnxm0haqxeFGjAjLIuR7C7ttal/qFvcOuOGkt91nUFeSFTSYoRwv+dc7 9WFtk3Sz+Rfj4xq55qadSKsyNWM4fJ0XiMK7gw6g6IEzHy4iRyxDR7Bizd/8z24JMdEHyLB0fcJ nJnScHTo7HStQJwohOuFjyiH1BBD+w0jTm1fgIBTCCtqddAc8IhaiUm806VHOFU28kzPNqcRENo 8a8dM/EpggS7Y3efIeBDQAktAydZ4Ey6Ari5lYi3z3mGDcHe+OA7k8q/Xh/VSnwMNYpVQRY2Osh CyuO6oAMAiInwN3hZvzj+6mBzO5HZZpATHEbISRudMq8Mtf3Cl9xQdjtKDLDaUoWQmQh0+JGXQu f4Lan4ntUqo9yg86WYJZzCtuIJ0twNcRxzzBHYLTKgpbavHt2HWOtxm6RIEXWZV2hYvyEjyPu7d IOzM0= X-Received: by 2002:a05:6000:220b:b0:43b:80a0:d92 with SMTP id ffacd0b85a97d-43d642bd578mr32008197f8f.45.1776291789821; Wed, 15 Apr 2026 15:23:09 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43ead3d5eb4sm8662959f8f.20.2026.04.15.15.23.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:09 -0700 (PDT) From: Tristan Madani To: Johannes Berg Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 1/5] wifi: rsi: fix OOB read from firmware offset field in SDIO RX path Date: Wed, 15 Apr 2026 22:23:03 +0000 Message-ID: <20260415222307.1537309-2-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260415222307.1537309-1-tristmd@gmail.com> References: <20260415222307.1537309-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The firmware-controlled offset field in rsi_read_pkt() is validated only when rcv_pkt_len is zero (USB path). For the SDIO path, rcv_pkt_len is always positive, so the check is skipped entirely. A crafted offset can cause out-of-bounds reads past the 8192-byte pktbuffer when computing queue number, length, extended descriptor, and data pointers. Add a transport-independent bounds check to reject offset values that exceed the frame's actual_length. Fixes: dad0d04fa7ba ("rsi: data and management rx path") Signed-off-by: Tristan Madani --- drivers/net/wireless/rsi/rsi_91x_main.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless= /rsi/rsi_91x_main.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/rsi/rsi_91x_main.c +++ b/drivers/net/wireless/rsi/rsi_91x_main.c @@ -171,6 +171,11 @@ int rsi_read_pkt(struct rsi_common *common, u8 *rx_pkt= , s32 rcv_pkt_len) if (!rcv_pkt_len && offset > RSI_MAX_RX_USB_PKT_SIZE - FRAME_DESC_SZ) goto fail; + if (offset > actual_length) { + rsi_dbg(ERR_ZONE, + "%s: offset %u exceeds length %u\n", + __func__, offset, actual_length); + goto fail; + } queueno =3D rsi_get_queueno(frame_desc, offset); length =3D rsi_get_length(frame_desc, offset); From nobody Tue Jun 16 03:46:45 2026 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 58F14391E74 for ; Wed, 15 Apr 2026 22:23:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291794; cv=none; b=uQct0n5XSAItn8olZdhY3xGcLufzgXoPFyj8FW0ZMuqynb4v/6p/NRCHq7tQzvpmpBtEJyTRCyfoGSpWyweT5dtWt6TKNDQMOeHTfkgJKywN5DJDu7AC0ry54VGRt0Skv43vWNoKmENF3Wys88Q0d1L9v7W5BdUfDNK86cNVAOQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291794; c=relaxed/simple; bh=v+WiWQqP1pM6W5OvLwciNDvzrubRAtU/RrMWCdBnYOM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Yc76C5YXREajU44CgXxrvF5xYm5J1rRW2ls5muSOP98AvaT8Even1z58cZrJ1IK1/H79Q8y7qajJD05Ie0WkQ+nmO6hq97QE0esoKoEpACHdM4GWSn4V4m/6k6FqgQBwAVgmPAX9scqQkLwZzaIaz/5YBS8NI2CAWNhycG2nFxI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XUiLKq8c; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XUiLKq8c" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-488afb0427eso86378525e9.1 for ; Wed, 15 Apr 2026 15:23:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291792; x=1776896592; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oqE2M6wVg51EkSQJTym+lMFIc77vkGU9+ubkmCa3Qdo=; b=XUiLKq8cYzYZuGJoF1GD+k8ZEKkTP1BmVc5d1gsUOS57heDJ8HVoQnYY/jeM1HOOzT MXBklLjskZMFjpJVweAstZ1PTABapJQCAt1PzKw06nwEgMA5dMBX32d8aYKLvLvHY2zw H9jECua070ld+AEs1RXmSo7dPMMdhlB0hKQT7K8JGyG5yt0tNz4Z+l7bRrRasKrwi00f ixZBDe6XQKuaTRUcExDuMKa/4Zu7HAQ6BA64C8V5OQNp+GZiUZkTnu//dcAeDetm12w7 CMLs7ifJQAuz1mvHd27USS9zrukOXOYUQp+N78V4b4YPEr1rD4I0vZ79OsnHjJ1+AfEl eWAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291792; x=1776896592; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=oqE2M6wVg51EkSQJTym+lMFIc77vkGU9+ubkmCa3Qdo=; b=XQo28AOBNDESjmqAk7UEUE+d3YodOEohlie3wy3Mjqn3uXroCX/oh53WLyf4OB7Cgj L9SP/3S3CpZP9M6fJZZL4QV39hIrJWskFjS2UepbY/y6GOnLG+4zWkvLEZrLETelK0GW 0gp5QYKr8yopnifinFLtAdSVFVXh3OrZHPvFKIqPLGbZXYSbsA8ahw8bL2sJzEUH1FKx IX2z2nasrCswGwgitcG/4BpHAzexbGk5h87B6rAyr28LV33ntAVSasO8+OWnl5ohIzZR AH8OnO6I3dJcDocVqfHedcY+PQnSYgvF5mm1YwGkjGr2MD87+lHj4w93m+qqQf/U4iq3 cDoQ== X-Forwarded-Encrypted: i=1; AFNElJ8tLzkbEJNbHtlJcNvxl6iIjp+sL2M+dx6oSqyIgXd/R+yvQ+W4doQoqII4FR+21YxwywlQqU3BtGSm4PQ=@vger.kernel.org X-Gm-Message-State: AOJu0YzSBXbGMlJpQq6ZSAdzypVdKayYELqqYF+TVIFF9cPCYcHmZ9Wm u/kJQ2p97i+SeLcfNGA+zDeIskSJng37ooCC63w4jPhmM/l2BkmBERw= X-Gm-Gg: AeBDieuZXDbwOQDeDDrFTVSNMf4awwMQ+XRDDQIRHvi/bwcpNIDma63mFaIW05kJ9rY LbHb6VxTMFdsj54tSqlx5ZqCzAioJVL5C72nPsoKBidwQupiQf8BdEhWHsuZWu3lBs7H1SqANzz vEiJ+jsGrKry0xxWBPTvXHxlWzz3kuKNLIMZopopt8Srk+roMU8vkGqgo/0d6JVKdXSUGmQZlAM u8MhtWSVSTGD18nmnjdIR294MozO78XDtGJEEYQgh81V/G+jBunP2afdEHLYGubaONnvxEu8keS gdnKB+XOpRjyULOxA1BbVnl98N/PFCFnXhWTYsrwqXBMLTI3/kGG8acOzZ7rpfIPJR1a1Ky/2Z/ 0ie0eQpKAymTsX9k93J6vBCxMngRr6ygR2VZvmEQuc/j6oj3y65WxkwEKPcz9SlcbbMICYdEEBB UZJJU= X-Received: by 2002:a5d:5d0e:0:b0:43d:b0f:eb44 with SMTP id ffacd0b85a97d-43d642a4d71mr33960287f8f.15.1776291791625; Wed, 15 Apr 2026 15:23:11 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43ead3d5eb4sm8662959f8f.20.2026.04.15.15.23.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:11 -0700 (PDT) From: Tristan Madani To: Johannes Berg Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 2/5] wifi: rsi: fix integer underflow from firmware extended_desc in rsi_prepare_skb() Date: Wed, 15 Apr 2026 22:23:04 +0000 Message-ID: <20260415222307.1537309-3-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260415222307.1537309-1-tristmd@gmail.com> References: <20260415222307.1537309-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The firmware-controlled extended_desc value is subtracted from pkt_len without bounds checking. When extended_desc exceeds pkt_len, the u32 subtraction wraps, causing either a failed allocation (DoS) or an out-of-bounds heap read via the subsequent memcpy from buffer + payload_offset. Both SDIO and USB paths are affected. Add a bounds check to reject packets where extended_desc exceeds pkt_len. Fixes: dad0d04fa7ba ("rsi: data and management rx path") Signed-off-by: Tristan Madani --- drivers/net/wireless/rsi/rsi_91x_main.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless= /rsi/rsi_91x_main.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/rsi/rsi_91x_main.c +++ b/drivers/net/wireless/rsi/rsi_91x_main.c @@ -136,6 +136,11 @@ static struct sk_buff *rsi_prepare_skb(struct rsi_comm= on *common, pkt_len =3D RSI_RCV_BUFFER_LEN * 4; } + if (extended_desc > pkt_len) { + rsi_dbg(ERR_ZONE, "%s: extended_desc %u > pkt_len %u\n", + __func__, extended_desc, pkt_len); + return NULL; + } pkt_len -=3D extended_desc; skb =3D dev_alloc_skb(pkt_len + FRAME_DESC_SZ); if (skb =3D=3D NULL) From nobody Tue Jun 16 03:46:45 2026 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B0E33932FB for ; Wed, 15 Apr 2026 22:23:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291795; cv=none; b=kUoPGZ3u6UYFgq3o0dgkzVQCqP388y3P7WAq75couJIn3yCe3KEJcsT3zhyjQ3EOg/5CYmDdAVQucBqMji2caJP+d5zgBXpjaJP8Dk169MEV0YSghLl25xQqIU912b5U5EI6hrM/TWFYcfpwddjPkA3j/sjJH0WjJv1aEhLI9ms= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291795; c=relaxed/simple; bh=qwzvLXoxhSI6TyRwIBPV+AoD+cXf1obQzmvU+THBV58=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fCW9OkUen/61lJ3e4YAtBx5HFXAl/PD3GSn23rT9tt+I9bQj9DxPZhF8iQfdaxBMwUdMmQUyMG3b/UEF+dPmV+Kdt08kvHOtpr52YCahJVg65T8ChrG8vHKxDp6n3d5JabSKcHl3sPhF5dROe9LuSOR8WKun1pI+KtUgaNOvWwo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gQ9UFTTF; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gQ9UFTTF" Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-48896199cbaso76477885e9.1 for ; Wed, 15 Apr 2026 15:23:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291792; x=1776896592; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=LN24RpUKNLuweiqIfP7TnEHLafH/5TUmuuxdurxQ2dM=; b=gQ9UFTTFX8uIApf06vap0Nvctfnv+TBTrI8On1SK4/6el+H08tnZiStssY7hegu4wa MI/76Rs2pBoxfEFLMM8lo7X163tfGHG5PwTEChTbRvMjMbLjh6sWCthf5ygTuOQv5amb V5dFWaUEv+Gn7DSjU/5ri9UETxVp87x63kCTdUienLRadzqj3Hf7kiC3/3y37o75zpX7 STjAO9ITrD/hDgDmAn9gMKIFR3IJOIC+5IFhCSRfS6NtVWcI6tihHGo14PMr3A3vfyIR dXe0qB2C12uj37QrtDWcXplMl6o+mhgKBkw6K8MBswx1IRDR3dMv3IsZSbnGqExdhJvV m6jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291792; x=1776896592; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=LN24RpUKNLuweiqIfP7TnEHLafH/5TUmuuxdurxQ2dM=; b=TB9G6E8mtmKad5jqiCnTJXoghFU8+5RUbDplu6KtS+4Kx1WxixeUbT2F8f+hgSa52/ Pzd11AFIP2UmynaLJN0kDnDGu34DDRRPOy7zOQK/MWRXDJZu8ryyKCc+vKf1FbUI6aU+ ao6lpEOaULSATK5KT/ojnt8yY4uCEl1gUhdD0LGfUjrXGsDqd8AruJ10Ua/c+uRedFJV m8ElHnhCap5cvp8V/AmntayiSWd3PtDX8T/s1DU1PFjcKTXPUt7A64oIb1tRAA8HjyUB WHgIbMPUR3rJ7ug0bcIZUbHhlfPwAcwmqFGriN97f+55Aa6OzVLgNBrJYRfPPz0obwzS hAPQ== X-Forwarded-Encrypted: i=1; AFNElJ9cwm4587P3OnVHpq5xMSRDiSfnsJEuggIKFSfqFA8Eukuo2MP5omomOb1Kh97v4Z/MffusXYynK6LFbQg=@vger.kernel.org X-Gm-Message-State: AOJu0YyuCaI7aGZSIwSYEjQMWPOYQb2x/UzHhtXbTsY6usxJgT1vK37S 5t+bMm2CdSKdIJ/uMw4g5zsmJt5+4N7uJLANKB3HmXrKFkKU9NmwbVk= X-Gm-Gg: AeBDieuOQRsAQrxFISaOcx2m2gYVSRFBffloCuATSyoB9hdjZbgocry5bleeaJspfrp VxFjHmE7CNOQVywOVCDL2nhH9gPKdX40WOAcgQCVV+UKGj/lNu21+mnfKpUF+y0oW9oOzjTAmVV LIArD2NimELeHn7flm+tDHiNUAu40npDk8VPvlpoxPBhHvcfqyghhAY5YoSaFZS7rmwrST4Sto0 hPIAUKeoOgeIvz+ezenqusA4qbgCDwWtYLOY4mhX8m/9+yBjB89cS6TopxAWe5Qg4Mzl1V/Ot45 Qd0EowwtYXp4f5SLLvLuvNK3WUIYNE/GZT8KbkZa40sNaRuaTD5dPHaoVm+0TuOsAmFJuIYS45S 8+l/+HywHxAsfyGtgP17DN9NRudo0RW9DF9iPP8/BeCn4U5fPU5/LEyY73zFwjz4xeSVERST/7X c8NLM= X-Received: by 2002:a05:600c:8b2f:b0:485:3423:727d with SMTP id 5b1f17b1804b1-488d688d46cmr299215045e9.26.1776291792438; Wed, 15 Apr 2026 15:23:12 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43ead3d5eb4sm8662959f8f.20.2026.04.15.15.23.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:11 -0700 (PDT) From: Tristan Madani To: Johannes Berg Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 3/5] wifi: rsi: fix OOB read from firmware-claimed length exceeding actual frame size Date: Wed, 15 Apr 2026 22:23:05 +0000 Message-ID: <20260415222307.1537309-4-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260415222307.1537309-1-tristmd@gmail.com> References: <20260415222307.1537309-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The firmware-controlled length field (12-bit, up to 4095) from the RX descriptor is used as the memcpy size in rsi_prepare_skb(). No check ensures this claimed length fits within the actual received data. A malicious or malfunctioning firmware can cause out-of-bounds reads past the RX buffer, leaking kernel heap contents into skbs delivered to mac80211. Add a bounds check in rsi_read_pkt() to reject frames where offset + length exceeds actual_length. Fixes: dad0d04fa7ba ("rsi: data and management rx path") Signed-off-by: Tristan Madani --- drivers/net/wireless/rsi/rsi_91x_main.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless= /rsi/rsi_91x_main.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/rsi/rsi_91x_main.c +++ b/drivers/net/wireless/rsi/rsi_91x_main.c @@ -179,6 +179,12 @@ int rsi_read_pkt(struct rsi_common *common, u8 *rx_pkt= , s32 rcv_pkt_len) queueno =3D rsi_get_queueno(frame_desc, offset); length =3D rsi_get_length(frame_desc, offset); + if (offset + length > actual_length) { + rsi_dbg(ERR_ZONE, + "%s: frame overflows: offset %u + len %u > actual %u\n", + __func__, offset, length, actual_length); + goto fail; + } /* Extended descriptor is valid for WLAN queues only */ if (queueno =3D=3D RSI_WIFI_DATA_Q || queueno =3D=3D RSI_WIFI_MGMT_Q) extended_desc =3D rsi_get_extended_desc(frame_desc, From nobody Tue Jun 16 03:46:45 2026 Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E4C233939D5 for ; Wed, 15 Apr 2026 22:23:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291796; cv=none; b=dJQbEqpZ4mGz/lrOPhJ0sQN+icAS4Qaw8uwSW5NXkavc9gYCYsj9SFnlitudYXzF5nlMyOIbpXLB+H1FjVkeCXd38ZqPJpP6KfWMiECssVQWe52moxcvEACzsG73a/tXK8UxOugWdKoSzxSGWrAAUxEGg+3K+Txf+wO04qMaCz8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291796; c=relaxed/simple; bh=b42wQuu5Bk67LUY7zRvQ0yi+2bQYfp5nEC1JxC5I5j0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=g5eeVS4zYsvsy15U3JAUrYD3efA5Jr0Kvuzb93PXVQLTp8PRYHZiMkQ6YzWrEI4ZGfBw4QI2iAI0OCwU49rAiOpQSpmVy5zg7a406ZTDlVhzO7tshOC36QOTdxmUnWOfFpFVVVfDdsxrz9w8dSWDW6v1mePmefrOr271VkOCqdA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=FGynCTxx; arc=none smtp.client-ip=209.85.221.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FGynCTxx" Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-43d77f60944so2640514f8f.3 for ; Wed, 15 Apr 2026 15:23:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291793; x=1776896593; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BXIwdJgZS73raaBhobnFhQkQVjvIkBK9xYUC/yG7a/M=; b=FGynCTxxtS9WmjwjkPdJOhEXdcdhyWze+eBZQNBX7TlFUDxhDNSU1J+APYXnm7YNX2 T4CgjWbkwv3gvq8qD0c+6VUsRNVWgKBeNQ44R7cRZ9CQRccH0efPoQE5C26GBckvRgy+ JVBjmhySvshJ+IJOmxurqDLwRLIxGL0h5vadmDU+dO3ZjtE3uJQWOuLzy1Ap5FJ4PjU+ VbzSXG8XQCqhvPb4A+w6X9AD19+FKHD44JncRCZ8H1VymMRNUqSJ2K7srqv6ME8Db+fA HBI8zODsOPUwxu+qhy82ZHZzIF6rwb+0ZfSOXU0y9zW2yVrVjtf/dQf8m1ZvtbeeMoVs HHBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291793; x=1776896593; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=BXIwdJgZS73raaBhobnFhQkQVjvIkBK9xYUC/yG7a/M=; b=l+4grm0M62UM/CJFjAybh42ObyWhOypF/IaQQeP0cQ5nh5bmetGL6PX3gPlfm3VA0z +XMEneFWq4ODec2v6iccVROlFdu3zcNS8k7PNYY6z+hhdlIIDkpKJ03BkjJ9GGt7Xlcs oQ/Kd2AwWbB//tviDAX/QjsohGGjkD/0ljHmVTwCcrIgH6pLMOV8ioe+lza7SsolK3wx mTS9vk3G53eThAssMlztzBYd+c1KynF322CKUY21gUwTINlqPW4InKqrlMTFfHdL4G4R EEaTz3g74ta7tNaylL6LL9bh9NK5Vo/jtXkyJvVw4TaE6SDQMIgEGsF2ZO5ZRrcsVXZE ehvQ== X-Forwarded-Encrypted: i=1; AFNElJ+X8W7qL+bntBUfpoGaLbXyrsW2gVrbcZz+9o3hbF3eMWOZrhIJw3T6Tr/4MlTB9kKpafoKEOH4MRhKuYk=@vger.kernel.org X-Gm-Message-State: AOJu0YzEZuRGrGHfBZf+cE+8E7DNMxdRMU0BJeSr4hpXdMQvjQfMG2mB PKGEb5eVDVlSb9cxcaBQ9Rf/v8UrTs6UC9IJFwrFi8jxhuQijHCSanLLyOGUH2PzVQ== X-Gm-Gg: AeBDieuqb83MIGS4rcMZlm44wb1ViXZVR7czPQzgcEhpocrCZYY2aMbtiK1VfY7Su9S /hHgQwO6PnbQs1hKW1BmyS3rSVcrHfny8r5AU60LReBUJq+UZwcEMAJZZOFcS4iAHMWHydvrNXQ sfbPCJaQtnkEueUZ0gJYmj1rnGZyPuoC0VkKwJv/ohh7lGPyNKGXAOieQuff1Y+rsy2BjfpqdkS QaX0cjBDXz6vLVlXwjGYZ2vo+pSRimE46GWshNG2hz9HWUONsK8LdPDNO4tCihf+0QJrpNWL5pM VsztOJYZQVIlGugFRPwTvwhGJB6efL0VPe3zDWSe5rWQ3tFrLfeU5FPLjpMVp1n9soiFSFAgpi7 ZEbDnHmgW50ZiySvWCFm+HzObECLOJx4Ua8HWeZP3Mb/nEV2LKVyGdwCgaf0z3AEVd/w+aW54F0 onCQY= X-Received: by 2002:a5d:5d0b:0:b0:43b:5231:e94a with SMTP id ffacd0b85a97d-43d642da716mr35750102f8f.30.1776291793160; Wed, 15 Apr 2026 15:23:13 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43ead3d5eb4sm8662959f8f.20.2026.04.15.15.23.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:12 -0700 (PDT) From: Tristan Madani To: Johannes Berg Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 4/5] wifi: rsi: fix OOB read from firmware pad_bytes in management RX path Date: Wed, 15 Apr 2026 22:23:06 +0000 Message-ID: <20260415222307.1537309-5-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260415222307.1537309-1-tristmd@gmail.com> References: <20260415222307.1537309-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The firmware-controlled pad_bytes value (u8, from descriptor byte 4) is used to shift the skb_put_data() source pointer forward in rsi_mgmt_pkt_to_core(). While the existing msg_len -=3D pad_bytes check catches the case where pad_bytes >=3D msg_len, it does not prevent a large pad_bytes from shifting the read window into heap memory beyond the actual packet data. The resulting kernel heap contents are delivered to mac80211 as a management frame. Add validation that pad_bytes does not exceed half of msg_len. Alignment padding in 802.11 management frames is typically 0-3 bytes, so any value exceeding msg_len / 2 indicates a corrupted descriptor. Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") Signed-off-by: Tristan Madani --- drivers/net/wireless/rsi/rsi_91x_mgmt.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/rsi/rsi_91x_mgmt.c b/drivers/net/wireless= /rsi/rsi_91x_mgmt.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/rsi/rsi_91x_mgmt.c +++ b/drivers/net/wireless/rsi/rsi_91x_mgmt.c @@ -490,6 +490,12 @@ static int rsi_mgmt_pkt_to_core(struct rsi_common *com= mon, u8 pad_bytes =3D msg[4]; struct sk_buff *skb; + if (pad_bytes > msg_len / 2) { + rsi_dbg(MGMT_RX_ZONE, + "%s: pad_bytes %u too large for msg_len %d\n", + __func__, pad_bytes, msg_len); + return -EINVAL; + } if (!adapter->sc_nvifs) return -ENOLINK; From nobody Tue Jun 16 03:46:45 2026 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8BC3F390C94 for ; Wed, 15 Apr 2026 22:23:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291797; cv=none; b=tx/6RS0lllKKTSNpnfmwHDAzO8KEwPzkNRDxJv8cXRNiUbn21QOvaxf/5TqylQoECrq1Qiuraq6lSsZLHCMBH2LwhZjqmxHkQ4oNHzAuqaLBVGTnGUW6Ek2KkN5QGS4MsMnDnJs79ixfN/0rZVjLyFXJYL6MtIbQKSuK1+l5C2Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291797; c=relaxed/simple; bh=lvIZcEnA1Xr8BvwLhhibnIOHVWeM+A2VwaOHYI2m2Qw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hDlEDqUzmbgYI9fKXmto1h5T+UfmJ7C9qyHgpWc8KYOk7C05/9Af5XTNzHRMZvf5ExUFq+galX+8CEunKTKyxAzPDEbG5sUCNP9Svq3P+uQrb83cNmNeYBZkd4LNdunQOxerBAsEyKldYov46Lsb9PVnLonl7vOvJp7SpIgnKiY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=EUjYv7tC; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="EUjYv7tC" Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-488e1a8ac40so66782245e9.2 for ; Wed, 15 Apr 2026 15:23:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291794; x=1776896594; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pGRAAzpvd07h97fVtYsZEQ5p5WwJfIFgjHO7stV6AD0=; b=EUjYv7tCtLn4Lw40LM/cqaTSeuRVqJT3CNYzT/N90euxOz6vDH8PYtkg8RqE9Zfv+e 0l5aWvwaL8ORCEvqHb7PL7QQevNbtzsqMBU/c96qogoQW+FUDA0cHbvD2GVvIl+hdqgR k51FK3YK4W8anm/OzLAaW480UBPDTKBQeKTt8V8m7nqqrArmIXJmB6NeC84231Z6mn5G 34VDotQA633BdQhLHMNhAF+Us44weYyU/IXeahScAngGRLZRiyqIqZ2paW17ml7ZbxVC jGx19mvSkzqNIRFHMtXfXfy9xh6akMfYEQBko5vGjtXh31szKtAnOMJahRYyL/4b93xR LU+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291794; x=1776896594; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=pGRAAzpvd07h97fVtYsZEQ5p5WwJfIFgjHO7stV6AD0=; b=Dv0SYj0i9m4SZAEBWpMonha21b1DoqfEcZIK+8iYiM7iE43mCn8jyqBhvS88/Bi67j VmK6agcqpjuaudp+EtiVzr3sdLtBfDVInZ+fX3jea/wpLxtuelGAZGdXVixahkeODctI SZCCP8nHh2JO9XcnZpFRFE0fEJ8jFWXrlTyM8Pp9zVqaJroEvvjNCYCJYuLxOsiTtC9n pmhJkaF9rpMY+zuSA1dyG4Tr6dNU3dGCruEUwjYKSp+fkIFl81KyeVMk5zdN0EOCrfxh I9nH04NWHybG2hIVWFyrEYmpxRIR2iiUclHMjCkgJKo40Uzznwjan9qTXoOsT7wV6cqg HDKg== X-Forwarded-Encrypted: i=1; AFNElJ+a+dqTNNdylRCbOxXdAVjsTSWH4o/wij1J94rpZdGa/IqMaesSqcXQBgjfjFNsg55HTkIr1OUO4x6xuAs=@vger.kernel.org X-Gm-Message-State: AOJu0Yy9rZEGIsQ5WxCrPkf1K0XC6DMvXjhENivgjbluL9jEbXT3iGY7 O2aZsq6kk8tQVhfWsqP9v7HdJXUeQLlVjkO8Ff23oUlam5SxMEZAc6I= X-Gm-Gg: AeBDietqVe/bcElTvNJxS+h25BxfOUEpL+4t3I5BL+9C/eBUAoA9PULylP+vEu12Wsl MUtx+yhiG9wGrzS3fGYtGu8q4Pjcii0JgtgYAYHGrNOxgxHR3r3YZhesNdV7DmYOx2F393btCRw UKFZ9H3COpRPF1PPuDssLVk9qM72/mAuHzi5gI+VdizHMBswogZ+VPIq0F2lAZ6vV1rCoKsC3mj 21CEayPzrpLcta/GIgxsMqPsW135qkkkwHz3sMek1ISR/oh9+9+UX/82hwmaeTRVbn5AGhKBOak ferInTpKumKDZcNL4hmeUqDRax++a8YWyQE38DfGhtMXfKHRfHhF1IWCCsfS7pAl8fxfjEJsOEJ nqKrVSxZFHzL6VA3Mxo3hgFJk0GheCenUSZBjCKJofSEgVFuE09lJmAWSdHwChfA+C2SwY5fgB9 ryjMrcjwhoSCOv0w== X-Received: by 2002:a05:600c:46d0:b0:485:40c6:f507 with SMTP id 5b1f17b1804b1-488d689dbfcmr327948095e9.30.1776291793932; Wed, 15 Apr 2026 15:23:13 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43ead3d5eb4sm8662959f8f.20.2026.04.15.15.23.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:13 -0700 (PDT) From: Tristan Madani To: Johannes Berg Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 5/5] wifi: rsi: fix infinite loop when firmware sends zero-length packet Date: Wed, 15 Apr 2026 22:23:07 +0000 Message-ID: <20260415222307.1537309-6-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260415222307.1537309-1-tristmd@gmail.com> References: <20260415222307.1537309-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani rsi_read_pkt() reads actual_length from the frame descriptor as a u16. When the firmware returns actual_length =3D=3D 0, the loop's index and rcv_pkt_len counters never change, creating an infinite kernel loop. Check for zero actual_length immediately after reading it from the descriptor and bail out if invalid. Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") Signed-off-by: Tristan Madani --- drivers/net/wireless/rsi/rsi_91x_main.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless= /rsi/rsi_91x_main.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/rsi/rsi_91x_main.c +++ b/drivers/net/wireless/rsi/rsi_91x_main.c @@ -168,6 +168,9 @@ int rsi_read_pkt(struct rsi_common *common, u8 *rx_pkt,= s32 rcv_pkt_len) do { frame_desc =3D &rx_pkt[index]; actual_length =3D *(u16 *)&frame_desc[0]; + if (!actual_length) + goto fail; + offset =3D *(u16 *)&frame_desc[2]; if (!rcv_pkt_len && offset > RSI_MAX_RX_USB_PKT_SIZE - FRAME_DESC_SZ) -- 2.43.0