From nobody Tue Jun 16 03:46:35 2026 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA02E392C5F for ; Wed, 15 Apr 2026 22:23:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291816; cv=none; b=D3C87NsZ1eT5eVuRo3OtbpSGUr4WigyzTG+qP7rwuppJM5cva0Wbv0Bix+qSLKNAnB1MM//qEIMhR2Ul4b3nBcKR/ALBlZXd0cej3MunkgnqTAZv6eovsbXtLe2wMAaG7U5WJzYdJZbW1rl46Crs35lEsFX7jPdVjKrtTK0FFZM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291816; c=relaxed/simple; bh=tZjNaZEXvnSFPEDZzHmrMt9aRXiBa+bJDj1WSm7wEDQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DuXWtwPk8Xwcf2uUIEs1m8G4BnF9PpdiSl4lpv4K9V8kCeFrPioTbO7cFy4je9N4q+tV2y00aRWNBfTYP5DWy4oDlttCp1gLUJU+1xV1lW0tW0yCAqmEODtj1NyJhx6n0tCtZg+rqzsiOuiVtbPR7cwn0JAtef6jjyJl09K9+k8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=a0hnPQzP; arc=none smtp.client-ip=209.85.128.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="a0hnPQzP" Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-488aa77a06eso119919355e9.0 for ; Wed, 15 Apr 2026 15:23:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291811; x=1776896611; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=58lzRs6nO9P0m/wYeIkyHuOnKofA9zauhmvpRE3UfRM=; b=a0hnPQzPtL+eQmh0IZxap92h8szglN7k2WJCGKLF+IgSPcOpSa017yE7c7CGMkdRnG +2uLMlVzZ0Ei3k1YqpGmoxEqdi+uUXSaGxrN/EKTBTGaJ+cOzMU7RJ/we6Bhordewoi9 6Tu5c8VFaLVgp4l0HuOgqEVRPptiK0R6m3Xtn089LPp5bnkFUQMsgJOdP3bIFqSp+OUK GVojr6Ug9I3YHhTdWyPfaFsNAxf814b/vpgco/fEGK0SS9xgLU5WZ5PyMEQ36FB3RKYZ V7elHzb5+hdWAy3ygt7ad1DsYd2XGQCvG/ZW06XD0Dr0uHVgHNrCeleBYQEyvs9lrxDL 01iA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291811; x=1776896611; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=58lzRs6nO9P0m/wYeIkyHuOnKofA9zauhmvpRE3UfRM=; b=L9G55ND3Jtkoj+7mZnTtGPG6IArV3tT52rJ2BS36K/+qtsXq6UjhCusOgREO8FHVv9 6nXLde5LDCdiN8QtcCIBNffnBrzXJ3URIVC2v+Kz0YfqN9BHJrMpFv5uozzhLi+81/Kb zM8fViujtKxkGlU5/FN/KcP6GSLMZ/+IHUPPbOnh1Twtqkh3X2NELh0vcr5n0y9RUH5O XVCwjrVZJ8tJ7heQWO281zPi/Ad/LY+ipLwGYSe5kPqDJ2Jm/hkvunbvB2vMmDS9L4sK fepkOyhVct5jya3nxDNNoXEuUcRGBilYHsbVepjll3VYvY1A2QibgHpEpBKZyj3M8v2h OKxA== X-Forwarded-Encrypted: i=1; AFNElJ990RrVZmGd1dK5IbkiVC12IFY6gFqgmzmV6lH5oDAdZ3CzWrd6vDGxDordO5UogVTWSjWlTqFsS3AVguU=@vger.kernel.org X-Gm-Message-State: AOJu0Yx8Cs7/2dQ4PIjCXmF2givqtP6hVcqmbaZ5Mv+QfQxlxin51JZk 6PMogJOwsDapeJGMOmAYpq+Wq9Ziqe4EdZsG/Fz60N9v7NrdgyRf5Ro= X-Gm-Gg: AeBDieuC9Gs9ICCn68ZpnYinXSaMbfHdEfDzDpfl/LTpDtyERjwMiTazqJ2WRGY73Hp 3fcTZ1DMv6QSyHm7b3thiXAzUhtR3kX2Sh4Ne1FgHspKcKbCuApxmFWTpXNTCASklD3gai9ErTz N+dls0MaCOXOVq52kud+OVxxXS0uY6GOI6Cr4urrxyTThAhgY7xVMA+s6TXUMbEfJNJekhJ8Olo pXNgdnxm+wLuOaHQmBRvMC1UdZKVuK5ytk7mWKYwqjoC4xQ7Fds/GKpbyMCOwldK+L4cpkYemHo XD9MT8Sd+BC1z67FBntP+y3jbUd479fF5brRK8+6/rq3R2ephszb1CF4E2SBr2frUGYqKG8sQqd i3TUgvExzdY1proZM0UoPJidfuHB39s07sXKuh++KeAOqTvi0Oz/nzuAbXLvBybJRDNFqaSQy3c jHPE0= X-Received: by 2002:a05:600c:c117:b0:487:4eb:d125 with SMTP id 5b1f17b1804b1-488d67e370bmr223489645e9.9.1776291810987; Wed, 15 Apr 2026 15:23:30 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488f0eb3842sm30160995e9.24.2026.04.15.15.23.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:30 -0700 (PDT) From: Tristan Madani To: Brian Norris Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 1/6] wifi: mwifiex: fix OOB write from firmware queue_index in WMM status response Date: Wed, 15 Apr 2026 22:23:22 +0000 Message-ID: <20260415222327.1539269-2-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260415222327.1539269-1-tristmd@gmail.com> References: <20260415222327.1539269-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The firmware-controlled queue_index (u8) from the WMM queue status TLV is used to index the 4-entry ac_status[] array without validation. An out-of-range value causes out-of-bounds writes of three firmware- controlled bytes into adjacent struct fields. Add a bounds check before using queue_index as an array index. Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex= driver") Signed-off-by: Tristan Madani --- drivers/net/wireless/marvell/mwifiex/wmm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/wmm.c b/drivers/net/wirel= ess/marvell/mwifiex/wmm.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/marvell/mwifiex/wmm.c +++ b/drivers/net/wireless/marvell/mwifiex/wmm.c @@ -945,6 +945,11 @@ int mwifiex_ret_wmm_get_status(struct mwifiex_private = *priv, tlv_wmm_qstatus->disabled); + if (tlv_wmm_qstatus->queue_index >=3D + IEEE80211_NUM_ACS) { + break; + } + ac_status =3D &priv->wmm.ac_status[tlv_wmm_qstatus-> queue_index]; ac_status->disabled =3D tlv_wmm_qstatus->disabled; From nobody Tue Jun 16 03:46:35 2026 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E1BCE3939B5 for ; Wed, 15 Apr 2026 22:23:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291815; cv=none; b=aQ24LoNarxKzL44B1FNPzWhKwSbfhR+AVX7p3fFo1txzlzXIVoxzSt7vLa80SINpsvL+kvMtq4yxvoFzY99raGq1+MYDzcH5LkpPZl1DdtDAWuQrGDmWWkjs4ZErzb5H1S3WEwba2KXuZNdXHJGxftjBqGiS7XgBPklbt8He8Yc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291815; c=relaxed/simple; bh=i+gs3uxAM4NrcK8GQGaRCurIvld3B3rpD0H0OzamVK4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EHo3APSVnEFO7BDAMS47Sn76A+KsqFhlfgUwLHq4dLgYeAJ5EaRpZT59je0ur4koLKxgA4J7dnG4mocDwERphVg+YV9tH/nlJnlPvhpA3QKFC2ut6Qx1+BO2MkALsOnzv0L9MON1WPF+tfll3UGqhFsQD0vS1l2NARuVQppcRGQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Sl97ZQUV; arc=none smtp.client-ip=209.85.128.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Sl97ZQUV" Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-488a29e6110so77759905e9.3 for ; Wed, 15 Apr 2026 15:23:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291812; x=1776896612; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iAMfpcCYFU/GIrIHMML7LkZ0mvmQIzFEut8whP1Vado=; b=Sl97ZQUVq0PGmZyrQAWguapjyvPt5aiNEUKP6uxg6CAr9++BNDgfBopzou/SerKqap GOMXhLf/fTTmDWqohonnh7Ci/3R80vC+MBvC9Z+MYVb8OvZjPCZT305/xD8V0I2nZWqo F+bRu7pbydJVC/1ciTbjXUq12JkqvWJVP//sciaDtNi71EpPYaPx0SSsu1h+U3cklwMH mFKcepwCciPOKYpHONrrfo6LaOlmoyKAkoOmYi0wSZS5HC6LLUFt3M1vPhDDgEFzLj4P rtZJYsQg29mLdhkj4NxHZV034eFi/r6RXD6I8px7ibxBCTOZNckWbHVOPWRG3RqjG7Ed fFdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291812; x=1776896612; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=iAMfpcCYFU/GIrIHMML7LkZ0mvmQIzFEut8whP1Vado=; b=SbFigcnzkiBi7asUo008GOu/cz+1i/14Dcit5j28CABW9FsNK9WDRTyfXw71fd+FYd 90j0Ggy0bJwk7WsM0YK+R93jwID3zgjHe1vgAkgplWo5HpxdUH1VloxYm10Cu4jE9s8U IzBt+hL0rvEB2ijHOwJ53Ihn3uvP+PUK7DDZYziXES3TWggQNEPjUCDyfNw4p2PlMVtj e/U3n5K3fShputQn5sXaemKKuy6l7eQNV3+FIFiX9bQ0q8GvGXxv/fJ3T4XqodPbDuRp wF6kTcmIwdiB05wMqwBTd5+fOs2N+fe1Rhah0k3tQTvBJxkSw8hKQsKaiuLjYGnK0uoo V5Kw== X-Forwarded-Encrypted: i=1; AFNElJ/CMWrGpA5qWGL71Q8AB/DGun1XPNhYUpMvIfWMV+DuFA2L3Yd4RehsJUx68hMRg7Vygs0223P+ck0mRvo=@vger.kernel.org X-Gm-Message-State: AOJu0Ywjh1d378umwi/FBizVMZlghcMuNdmxnk7pm1FDMN6Ow8jdH3IX +cBvJVcuLFya4lpqK4QShJBpEF9T3BrryLsTPnub9sKnEaPI4uI3d34= X-Gm-Gg: AeBDietOXBBQk2yrMm6Wa1cRuKTBQT0P/yeVAV+fT6UCYDcD9G7sSyH+dpgmfY8ItPy ukGiLJKzTmXQ/CkDm0NO3xcLF36jQS6Zwc867ucuVHoviglU65hhl3JUbZCPsnKFTHkd6dFQNOz m3x5NMq+Lo8mGsXuX1aefRdrKRC40Dr29jlBzCUoZfOtSNv9HEXpOWNezEjnedsuiEXSL3UPbNs xLEbWurAHHIUtoP1fm0yLNNW7/NISfKoaIUe2ri3bSvq0mqDuASU9QpUVsCQGH6Y/CvsscNcXni dqS4RDR42a+vvlPfHdx+/24AsNvlNKrclBi8jDNXALtPTe1bDKwmbFeUXPPW7RKVeoCPZJHOCve T3hxyxQgH5IqKxf6q6fuAPiWXxqk9TMsGFg9prOb0HSApkfYS4DUePNH39D8iRjP28trM6AX7uf Rpezo= X-Received: by 2002:a05:600c:35c7:b0:483:64b4:79da with SMTP id 5b1f17b1804b1-488d68b27d6mr354703085e9.26.1776291811790; Wed, 15 Apr 2026 15:23:31 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488f0eb3842sm30160995e9.24.2026.04.15.15.23.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:31 -0700 (PDT) From: Tristan Madani To: Brian Norris Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 2/6] wifi: mwifiex: fix OOB write from firmware TID in ADDBA response handler Date: Wed, 15 Apr 2026 22:23:23 +0000 Message-ID: <20260415222327.1539269-3-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260415222327.1539269-1-tristmd@gmail.com> References: <20260415222327.1539269-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The TID value extracted from the Block Ack parameter set is a 4-bit field (0-15), but aggr_prio_tbl[] has only 8 entries. A TID >=3D 8 causes an out-of-bounds write to adjacent struct mwifiex_private fields. Add a bounds check after extracting the TID. Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex= driver") Signed-off-by: Tristan Madani --- drivers/net/wireless/marvell/mwifiex/11n.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wirel= ess/marvell/mwifiex/11n.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/marvell/mwifiex/11n.c +++ b/drivers/net/wireless/marvell/mwifiex/11n.c @@ -155,6 +155,11 @@ int mwifiex_ret_11n_addba_req(struct mwifiex_private *= priv, tid =3D (block_ack_param_set & IEEE80211_ADDBA_PARAM_TID_MASK) >> BLOCKACKPARAM_TID_POS; + if (tid >=3D MAX_NUM_TID) { + mwifiex_dbg(priv->adapter, ERROR, + "ADDBA RSP: invalid tid %d\n", tid); + return -EINVAL; + } tid_down =3D mwifiex_wmm_downgrade_tid(priv, tid); ra_list =3D mwifiex_wmm_get_ralist_node(priv, tid_down, add_ba_rsp-> peer_mac_addr); From nobody Tue Jun 16 03:46:35 2026 Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49A12394499 for ; Wed, 15 Apr 2026 22:23:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291816; cv=none; b=CLSNweMOIPM4LM58wCTzQcUPW5ArXHItYcJ3d9SjF9Vnb2HWQKCCp8eEaloHiKQUNXyaTWdWsNz52kmy8YeqUqhTfTOMfhiaApchQt5g7sx1QeYiNHyEOy4RZfOgwJtBBNYuHILI5wNmEz2B5aYHbWkziwN9omRptiA/F2kvwog= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291816; c=relaxed/simple; bh=v46IZ1SzmsGJww3UxMiqnbb/req4jkKIhm+Hwkx9w1U=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Vsdzdgi9Lgva6RbTkuwB66A2aIHcGriCWaeZ8H1ZVDaMsHapL70j23UnWYRqOtGGuYVIqo3CCf9/2PtI3Gc6g9l7VPPir6l9WVnsYAA7Firek7laUr8jEkO65YX7xO7fQCsATEMfWfwxwxZaysOUJUrKq5MG2puHPRifolU5Ncw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=l8v/wca3; arc=none smtp.client-ip=209.85.128.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="l8v/wca3" Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-48896199cbaso76479755e9.1 for ; Wed, 15 Apr 2026 15:23:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291814; x=1776896614; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Qu4+ZL2QMhA6P6OJkoB9A5NpknefCcp85WdeQdgdhoA=; b=l8v/wca3tD/feKvgMzdC2Ln2/wDWmYRXKKFzLlGAwq02cBWHvhSHGKAETPKYQNPycn 2HLUgceZbdrXockzQ3iAo9P/xHUumqUplSB48fpZHmmC2cJJ5QYa1ZAHnxSYeiuV8cOK 15ZBmhRxVvHsfROJQHem21yRVjm6cTmRLrXBCbzCDrf5cw7JtAoV9tBCWrMJnShWVB4e x6jZw+NL5rNBglSj/FFITLzTh4y9esPgAkSoRavQgE3pJQGCt76lGv9rg4nN7hhPrXt/ TJgLQsLg661YjCXj0GQSx6sDNKm+yGPUrC4OJTGkzO10kmvVuy3LU5FZ/7Bkrz9H5biW ebPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291814; x=1776896614; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Qu4+ZL2QMhA6P6OJkoB9A5NpknefCcp85WdeQdgdhoA=; b=gc9FUAOAWVGeDNBa2koyvxEKUaoMD/PPgi9i4teMU8ib4tTg9+hwvUHeK4z7eZeSMH LCfQ2vxypvgDu74VDnZ2qI97QdLZf86UPLrk3YR/Y/pOqzR/3Ijs/HsSGbYvhNOcM0I/ NO+rjWDt93bQy4XLzSwEc8I85DbmdkaiDjY+yAe73+m6+XWjdvjOCDZ8TbpXmvPfURXG mMzckLXVYDgeYtZSaNXKd9xIQbhhfc8uSMjlmXDoe25T6TrftMPHN2AiKy55H3zN+Rrh WfUwEPphXAiF0NgHvPK88ETcnOEChH1UCShsKRgqpiIOQxiJ/Fu8VBzJNK6OVWPfDt8x pydA== X-Forwarded-Encrypted: i=1; AFNElJ8ceuPZCricKJGO1A0JPiqBzlJYj8c0pHzLTDGUNzpqSrtJJgC+wjR6sbrxVDkSPdqDelD+Y0r2Q20njcI=@vger.kernel.org X-Gm-Message-State: AOJu0YwKZFN3lnRjuH0u52h2Cw+d5G1kXOEw8ERvNt+0uCCiHrTS4MfY zWU6lYqo/qthILKSXerMxxJVHYFBLCtlKSMKqoOQTO8nPdTLgYCYHPE= X-Gm-Gg: AeBDieuHPNN0ENWZ4VxpmJjuEcmVvGgVXHiiEqrtf+ga76xZDv4NIxldnzdD+a0y9sx F+Y/IK5sPFwyaww+lutJ7mXCJT/Z+W1969IybB4LyL3WUHxWFornLG1RC87bIA1xSKffFguy21g cfXrsfLb6Ai7Rmjt1UP2so1WzLUbLhNV/tTB5a9PmkTf6SjMDPNxu3xgo+uR/T+fc/gugsEe0vr x97JhhaD07EFFJlQXnkB6rW4KLsrYZvGv+jWdkO1BNqgCdqGJGelNWvOodNUiA/788i9n6rdCVj hkI2i7gl2tvAP2nEhX4mROHwGnlS43XyuJN+kVe6NrOBOKlLyjKuKZe5w5+UbuCaas1jYllxthc yJLeItognaP0GoDpAlE0NmFRoBu+pxJgsLvm8iy3FE4jbJnLjn43mvQ5lgPh1B9mAJPFAJgDfma tjjtBilyPe7FXSNQ== X-Received: by 2002:a05:600c:5299:b0:487:1fb4:7e1 with SMTP id 5b1f17b1804b1-488d6875f3emr313138965e9.22.1776291813644; Wed, 15 Apr 2026 15:23:33 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488f0eb3842sm30160995e9.24.2026.04.15.15.23.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:32 -0700 (PDT) From: Tristan Madani To: Brian Norris Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 3/6] wifi: mwifiex: fix OOB read from firmware sta_count in station list response Date: Wed, 15 Apr 2026 22:23:24 +0000 Message-ID: <20260415222327.1539269-4-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260415222327.1539269-1-tristmd@gmail.com> References: <20260415222327.1539269-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The firmware-controlled sta_count (u16) is used as an unbounded loop counter for iterating station info entries. An inflated count drives reads past the response buffer into kernel heap memory. Add a check that sta_count fits within the response size. Fixes: b21783e94e20 ("mwifiex: add sta_list firmware command") Signed-off-by: Tristan Madani --- drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/n= et/wireless/marvell/mwifiex/sta_cmdresp.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c @@ -976,7 +976,15 @@ static int mwifiex_ret_uap_sta_list(struct mwifiex_pri= vate *priv, struct mwifiex_ie_types_sta_info *sta_info =3D (void *)&sta_list->tlv; int i; struct mwifiex_sta_node *sta_node; + u16 resp_size =3D le16_to_cpu(resp->size); + u16 count =3D le16_to_cpu(sta_list->sta_count); + u16 max_count; + if (resp_size < sizeof(*resp) - sizeof(resp->params) + sizeof(*sta_list)) + return -EINVAL; + max_count =3D (resp_size - sizeof(*resp) + sizeof(resp->params) - + sizeof(*sta_list)) / sizeof(*sta_info); + count =3D min(count, max_count); - for (i =3D 0; i < (le16_to_cpu(sta_list->sta_count)); i++) { + for (i =3D 0; i < count; i++) { sta_node =3D mwifiex_get_sta_entry(priv, sta_info->mac); if (unlikely(!sta_node)) continue; From nobody Tue Jun 16 03:46:35 2026 Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 203F6396560 for ; Wed, 15 Apr 2026 22:23:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291817; cv=none; b=T/IX9UHERdUcztTKaqt+UZfI2tBAn8i5eDISxSn43gXcB0OzdNyh3dUM+W2w9k7FXGRmDuUgiJksrt92J6Dq+xb7Xn1qNyBlXt3frtP/d+43iDqZyWpIDLY/sZF0y0e4OLKGwdKh0WipQaXQNkj1BgrYxOjprbH2mL+HDMMME8E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291817; c=relaxed/simple; bh=PxwwPq9nkDueG6TLNZISNg+W3JzNwekG6JdXfqPDMSw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=L/4OE2ECDQEBg44ZtGd/Pw79zxcx38c7/uX3/AdlXiLsdXhRIRd5x9yKHnBtvoF6EqLT9Fhzw3UFKbrhJV8wMY5daFqrwa93JhbeS0Q67qSQdHrk/+K6i5Hj+Ie1KPcSJyo74gE3tBVEdkHrzdLJVCMCLMqLb819YOEeCbkhyjs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=rUId50H3; arc=none smtp.client-ip=209.85.128.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="rUId50H3" Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-488ad135063so71784425e9.0 for ; Wed, 15 Apr 2026 15:23:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291814; x=1776896614; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XyyC/++Ur8xzJ3EzHxXqn8n/Dy2H2hU9GGsPdWifNWE=; b=rUId50H3hpxesoE+nO+JeWeuZh9pTX9ObtqW+/j7HYQ9RHu8V20t5uUA2kxIYCD2tO Vk1vVTLOf2O7RYA0DboENNQ/ETjYquuKK/jcLZwRvsn9BjeMyskMxreKdsLOdHoS6sdo 9DTCCxudGiaUaluWgkQyRXBNYw1eeqpjqr9Qc9LtGEqBQzTkaN6Z5f5WuF/oxXegFM4r fHSmpEJbipr++1Irjvic0+jy8FIR2WsqH3fyZ2t1wqHyk/FsRkmH42XqTov9nmC7+Quq UHcJQpuW0mIGyRC1i4qjRe3+xyorRQ4iFm1exbXjh8Z2xdl2ZU4a21aGQ3PE1EUOQjVl fMDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291814; x=1776896614; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=XyyC/++Ur8xzJ3EzHxXqn8n/Dy2H2hU9GGsPdWifNWE=; b=cuzXkqk9YTpEnYbybHnIcxCB4f5BzF2iRrLv+IR3++PAg6SYeJHsUVNLAP+l8BVard /mEbnqGQA85p4bBvrw86k1s4K+hd1vkIH3U4EDpgoPu9L74kuCc3WD/PZM6BuyZeJDqC XP1LEzwXXP4JBgQeacpy6dxGXILv1K6oKf7u+1nDPjmBkmZR8jUF/HHXakjvakpJPrLO rCKbGF44QZY9uNHiK9QoYGQWbWcfplwiLQE6e7n7D508RxSGQvUeSvHy4v2l+Yt959UA tWr/8wlCAfJ7le0vkAzccCjObQOUNaZ7VDqkJgV5CBiUpvoA9f213kr0J0xIMLKCgEqI 7MzA== X-Forwarded-Encrypted: i=1; AFNElJ9IegV4rWu5DFm6oraI7/Tovlsi85kQQlX+iz1eRuycHS4NoXLC5OPZ9s8zOO7g8f+pWsQ3Ewy6sYoXe4s=@vger.kernel.org X-Gm-Message-State: AOJu0YxdJLuTHwXboz6qpSD1/y88ME9NPni3V0njap17OvTbpg9UwrDS U8+4EqF71Ki1V5N06gmFkH7RZ9OV0QhuQl4Zv8HVEARBXesv9h1T9sY= X-Gm-Gg: AeBDieutovQjueASX5vVem2S69PRN8cU/8eEDCdbDNAZleQ9sJs5/LB9ZejV8zklL11 up/XO7DDMremJqwMgdbbiekBQa/5YPwjfe/4RhgSLjMwbLnRvTFTNGieiTq9T6Y/fGhhu+HRfBt pdovR53DiIfW+LKM+F7eKgyRLXru30PYVp5DP2MGgg6xrDH3OrX0ZORT6e1t8Y5C4EHov8mQD6O XZQWJzQrDs3/2rukaOUNgWH3sjsORUS1+LOtKG1mHIUsXw3Gc4WZX1wrVDsmrKgmdHq7gxywvXC S3srZ/U5wk2c2OZ/7qyfKjgxIDiQ84OIMfG/s1UYTSa2rJAQqQ8tqsWhP+O1qaEoQhZPfdRoq53 zCYn/EgGVwNIT68ECblEsm6HPguuVhKKiEUSmKnrCv8xs7qPB2NrPzXIIKvERgh6dDDE4cf2WTv bqSEU= X-Received: by 2002:a05:600c:4f56:b0:480:690e:f14a with SMTP id 5b1f17b1804b1-488d68765fcmr350038225e9.14.1776291814462; Wed, 15 Apr 2026 15:23:34 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488f0eb3842sm30160995e9.24.2026.04.15.15.23.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:33 -0700 (PDT) From: Tristan Madani To: Brian Norris Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 4/6] wifi: mwifiex: fix OOB read in scan response from mismatched TLV data sizes Date: Wed, 15 Apr 2026 22:23:25 +0000 Message-ID: <20260415222327.1539269-5-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260415222327.1539269-1-tristmd@gmail.com> References: <20260415222327.1539269-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The TSF and ChanBand TLV arrays are indexed by the firmware-controlled number_of_sets without cross-checking against the TLV header length fields. When number_of_sets exceeds the TLV data, the loop reads past the TLV data into adjacent command response memory. Stop using the TLV data once the index exceeds its reported length. Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex= driver") Signed-off-by: Tristan Madani --- drivers/net/wireless/marvell/mwifiex/scan.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wire= less/marvell/mwifiex/scan.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/marvell/mwifiex/scan.c +++ b/drivers/net/wireless/marvell/mwifiex/scan.c @@ -2188,10 +2188,12 @@ static int mwifiex_ret_802_11_scan(struct mwifiex_p= rivate *priv, * received. */ if (tsf_tlv) - memcpy(&fw_tsf, &tsf_tlv->tsf_data[idx * TSF_DATA_SIZE], + if ((idx + 1) * TSF_DATA_SIZE <=3D + le16_to_cpu(tsf_tlv->header.len)) + memcpy(&fw_tsf, &tsf_tlv->tsf_data[idx * TSF_DATA_SIZE], sizeof(fw_tsf)); - if (chan_band_tlv) { + if (chan_band_tlv && (idx + 1) * sizeof(*chan_band) <=3D + le16_to_cpu(chan_band_tlv->header.len)) { chan_band =3D &chan_band_tlv->chan_band_param[idx]; radio_type =3D &chan_band->radio_type; } else { From nobody Tue Jun 16 03:46:35 2026 Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C6C61364EB0 for ; Wed, 15 Apr 2026 22:23:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291822; cv=none; b=BnKaLeaOrw9zSFldPqZoaRIHLOwpS6hY70d5Eoj/bOWMc9/tagQbW/3XOfH6r6dAM65QiatNdSV2XUViMH/DMxwGk/6/S/WCoZcX6VvsoX/+bXYbOtC5i2H+AbFDarYnusCHBQSdPjZrLdKyuuOSpBeTrUwWAW4CG9hfmjbyxV4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291822; c=relaxed/simple; bh=MavtfL3xiOSiEDuui2n8xegyyd/QvogrGBdkqZOpWic=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lJI+R2B4+rWChITE1gCVrnK3l7SRNglCSjVmQkQl3G2OtjuYNwIH0l0ZaZ4XkgtycGDtZVMvIcw5ArQk819sfUT2+R9Jldow/qUPnQ0Yu6Lebq06thhWHSi19sJPSz02jCIedVU6mvqH9HFa6+WGBP/rO2nN9onSxFY7PRMxuAQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=itmYAfFv; arc=none smtp.client-ip=209.85.128.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="itmYAfFv" Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-488b00ed86fso74538495e9.3 for ; Wed, 15 Apr 2026 15:23:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291819; x=1776896619; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=sFwd+xRU79WqFGCbQieg8NXuV9zuceNYi5AxTmvFP/Y=; b=itmYAfFv6eML2Mr8Ldk3LlhaV4WDVbddf8sNUZ8e45slIgSEYtmvxPV0tN7KDbfAKk F2uhCgnb96CagjnfwMhLoINk/mcWiPnX7gqOVdFPIwi0xIGPB0QMIJhR2kSWFELUdVs/ tUh+EYHZtuVBamWZZvs1hrb08ve28nIpNs1j1iSjIeKux+M6F0GCu2VDjVWrtfBdeuib fiMkc22qJ1GPdNnZqMZwYyBb98MvlCB5wYXuGriAze3ON8K9bqaByFQycYmDfCPIbkiD +6HX9oRXuQyPKYS5Uks3TnqWY/FaOV/xVtFCEsT6s14dEb79FqcpRk9t0p5oRqeEj42d Xymg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291819; x=1776896619; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=sFwd+xRU79WqFGCbQieg8NXuV9zuceNYi5AxTmvFP/Y=; b=h3gP5lIqa1+NFFF8IDet74XG2SkKg7RAgtfcM+As0w+VbgBfyP5fLs4p51QfE67fwB WKdVONDYgp9b9X7btIKFK4tqb3qh56+PPY8arnzeBRmSpq+QpLc29y1j67fmjpTU5cf0 BdX+AaoiDONFEkx1s3IWLgIxjBS2//BzJPYP/lHRa6274HcsYKFFeaihixWcCMgLb2tr lh8TE3hQ4SXj95Ohr/jiolhPBymu1PfZDRCXsl7Ik40zWWnXWRaatxeeJfpoYhRZyq/i J/Hc13xVT5WxXJ8mwK7Y+bocdLppPpR1C8lyZcnZ401mbSvZMM2hZbKRPDvQF+1nVS8y 5lRA== X-Forwarded-Encrypted: i=1; AFNElJ+trcShj/A48iNxvdNLkQnhxLRsqfvkNNB+SiFVno1seOfTiRPCYG0kuXsiJYCmfSONadIKm07kx8LglKk=@vger.kernel.org X-Gm-Message-State: AOJu0YxXAr8YMus0aJmbTQdvbJkbcPZH6uTeES+ZMg5I8ER1W+Z4iALY PHtMvmodCsZJeHbXCGnaFlcZynmTK0aM70izLtumUjp12SG/ugyAzNY= X-Gm-Gg: AeBDievkae/8+ECjVPJmZcRGhE13uAhLzwWCRqCyW8yychMdJteL4Agt7J0j/+ybD6m P0LVU4x6Ze0MHp1wzVwM+uw/GLuNEH6/iYDXT76dlNkQxnSdlujzxeUfjpPHwAnrpR2WLSIPZRP 8H1QvrQEo7FjLLoBglzqFpnPugSElv1KDPxYqQJ2EyVRUbmWhq+aawdWsnyanj9cnaoUIdnNnNv 2lOWwu1CQ8/zl3U47jZmkC0bVUV/uQOn02UfSkqr9ApZbBtMkXApqrfl1dcBXXnUSWkxwSmH2hO bv2t3+Nu7v8hFNKmGZZXZF0vEu2Ak0ea9B6nT1zz0NaaiNPryQz1CQAiq5YXR8t1xN2OaSSXjlJ FO1zuvmD2D2uTdK4WnRNRz92nQ/mO6VJENaUEO8A05C0GiO0Bo5tPuHylQOj+VnpWrRFnD8Rfxu W22Nc= X-Received: by 2002:a05:600c:4e16:b0:488:966f:70a7 with SMTP id 5b1f17b1804b1-488d67bbc7emr340553555e9.2.1776291815250; Wed, 15 Apr 2026 15:23:35 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488f0eb3842sm30160995e9.24.2026.04.15.15.23.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:34 -0700 (PDT) From: Tristan Madani To: Brian Norris Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 5/6] wifi: mwifiex: fix OOB read from firmware intf_num in multichannel event Date: Wed, 15 Apr 2026 22:23:26 +0000 Message-ID: <20260415222327.1539269-6-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260415222327.1539269-1-tristmd@gmail.com> References: <20260415222327.1539269-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The firmware-controlled intf_num is used to iterate the flexible array bss_type_numlist[] without checking it against the TLV data length. An inflated value causes out-of-bounds reads past the TLV data. Clamp intf_num to the available TLV data. Fixes: 8d6b538a5eac ("mwifiex: handle multichannel event") Signed-off-by: Tristan Madani --- drivers/net/wireless/marvell/mwifiex/sta_event.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/sta_event.c b/drivers/net= /wireless/marvell/mwifiex/sta_event.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/marvell/mwifiex/sta_event.c +++ b/drivers/net/wireless/marvell/mwifiex/sta_event.c @@ -450,7 +450,15 @@ void mwifiex_process_multi_chan_event(struct mwifiex_p= rivate *priv, grp_info =3D (struct mwifiex_ie_types_mc_group_info *)tlv; intf_num =3D grp_info->intf_num; + { + u16 fixed_len =3D sizeof(*grp_info) - + sizeof(grp_info->header); + if (tlv_len < fixed_len || + intf_num > tlv_len - fixed_len) + intf_num =3D 0; + } + for (i =3D 0; i < intf_num; i++) { bss_type =3D grp_info->bss_type_numlist[i] >> 4; From nobody Tue Jun 16 03:46:35 2026 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A9E2D391E74 for ; Wed, 15 Apr 2026 22:23:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291821; cv=none; b=stkjNzzkF3P1I8fB5zQnakxWZpFRurgazQg1ioLSSTKFKahnaN8aJcN1UFCoWDaCgwTRDzIo9Av6jk2r1iHDnKXmBfrN6H6kfzTSiellJoVMt45lRJ5OUogy9CzMe21MR9/deI82wQ6uiMtKBB+o30g2Lz1E4nzPTxsl+OW4Xmg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291821; c=relaxed/simple; bh=ZlZT0JJb5fcHHM0QCTIPf9Bbr5YK0JxpJ/C6fjexs+A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kY6kcyCNsCEGK7fxF01TLscA2TiUv6BdhiIlkPkg7eoumWu9vxVBWH3MRy9Ij877Go08Dm72e9tHgBjVdXxlKlUDQFKbI7g+Z92FPKZRNKTG2M6EcfUU8dnzhZduL7C1ylxX9pjsBV783KyCYzBk+RhvOBjtfcKJJ7VgsNaeLlI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Xc0WheVI; arc=none smtp.client-ip=209.85.128.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Xc0WheVI" Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-488b8efed61so420725e9.1 for ; Wed, 15 Apr 2026 15:23:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291818; x=1776896618; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=qDiHJtKHAA+Rixyk1EF2BIEgn7PGOoGfU+wLTucg4VI=; b=Xc0WheVIer1DxXO5yi8FT8p0uLe58wrvOIiyUhWPlxBLsIpZ3a59Ybrz9zESzGcTdH ODYA9imcpLF1fMfpa2ifeIPg65NFiAKNpnAEEDBGGhBcBf1yy7iP7fAzYTnCqhr7AnB9 BbP1Yr/xidqNpd4ZBW1pOZcZuSTYZkI5Met6LHSEYh4fbyaHWcr8Mrkmej/NIKIJU0uJ SnpaqeVbzOzS74PThGCUfyupvAk+JlLkT2avd1goMNfRJtz6b649ntKTC9s7BDHD4QcH 86a0hxiccrp4P2IeldAiwCmeazB6zOdBT2j1p8k2MRFrvSaYqxAolezYvO0XaMm2meWg TSOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291818; x=1776896618; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=qDiHJtKHAA+Rixyk1EF2BIEgn7PGOoGfU+wLTucg4VI=; b=sQ278YhxLBFkDjYJGiYw5FbPcnvHPAt78IPSjZscENJOPn/yaiVR2qGWOwTC48FdY+ 8qpuGGkwpTFVFg5Qoxa82Km3XlqT/lxGl9WDoONacMOuchR1qAC36W6vrGnQcwbDHmxC fNQ46g/cxxNto/bS4szMOzv3id46siQznDD1P9jvcL4rRAebO45TU2vAB83RQ88daELZ E1V+Ta0KR9cnz76p/IXVbs2jwwsEDs2X2U6akI2QxbK5DM4awjPI9NUNyAHQaBHje4vc VqR77VbhYiuN+m3S/EHr2yxo86MXaiL1xgqsEiXK89d4Esw1/q0bFvPh7rcxqdKrmakA V1Vw== X-Forwarded-Encrypted: i=1; AFNElJ9+WyUSHCJJ8E8LXT2qwf6y3AT+tw+W8i87TWqxEdnU9nqDD1Yxat3YPVhMAhLE42KE8MzSWH2eMdB5cxY=@vger.kernel.org X-Gm-Message-State: AOJu0YwGUj4ZtARJUGRgI4EmJ8N+2JRI1bPRjvbV9Fq7L3hECrpLPwLG cqC4N9l/56qO5/2sPp29fSRvsXjDNsNE+WfWN7m+L5gMM/W1I4Ys4Ls= X-Gm-Gg: AeBDiev91sPXgp57RgMxU/LzBv5Ojxh+y7FZyEg6r0ykiz0EB129RW8e6RznQL7pCAI 5t9Y70f1nwuOcvZsdauBEEOeuP5XOcWC0xcBjKmJOrM//UFh6K6e90aipe54qw59nukyw//0yZF fYT3OzZL6LSk6tO4613tKo/a4l75IF5vDu4xIpqRQoYz0HkHCerJGnb256jNjtT3kU/u/Uaktmx FNiSPdKugJajvWSmTEuUag2xvzAV/wa6Brh8PN4TgJoLXsSvTdqvAsV9ZNnQ308A9XrW0s4j+P2 YynajTdMa1RckJFQ7TKNCfiskF1Nb6eQDmzmzOd+oVb7KjbTukbTY22IkPj15bODyymM0AJvM7o 3Nb3TykkRBihGl2rrywQQ+81RUc34WydgZO2X/nAme9YQXORh5hW9bpNX+k3ELl/sNB8RToRon6 jZ1t0= X-Received: by 2002:a05:600c:6296:b0:485:3e00:944a with SMTP id 5b1f17b1804b1-488f47f2935mr15580615e9.9.1776291818101; Wed, 15 Apr 2026 15:23:38 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488f0eb3842sm30160995e9.24.2026.04.15.15.23.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:35 -0700 (PDT) From: Tristan Madani To: Brian Norris Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 6/6] wifi: mwifiex: fix OOB read from inflated TLV length in IBSS peer event Date: Wed, 15 Apr 2026 22:23:27 +0000 Message-ID: <20260415222327.1539269-7-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260415222327.1539269-1-tristmd@gmail.com> References: <20260415222327.1539269-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The IBSS connected handler replaces the buffer-bounded evt_len with the firmware-controlled TLV header length. An inflated value drives the IE parsing loop past the event buffer into adjacent kernel heap memory. Cap the TLV-derived length at the remaining event data size. Fixes: 432da7d243da ("mwifiex: add HT aggregation support for adhoc mode") Signed-off-by: Tristan Madani --- drivers/net/wireless/marvell/mwifiex/sta_event.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/sta_event.c b/drivers/net= /wireless/marvell/mwifiex/sta_event.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/marvell/mwifiex/sta_event.c +++ b/drivers/net/wireless/marvell/mwifiex/sta_event.c @@ -46,6 +46,10 @@ static int mwifiex_check_ibss_peer_capabilties(struct mw= ifiex_private *priv, evt_len =3D le16_to_cpu(tlv_mgmt_frame->header.len); curr +=3D (sizeof(*tlv_mgmt_frame) + 12); + if (evt_len > event->len - + (curr - event->data)) + evt_len =3D event->len - + (curr - event->data); } else { mwifiex_dbg(priv->adapter, MSG,