From nobody Wed Jun 17 01:34:24 2026 Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 585C93D9045 for ; Tue, 21 Apr 2026 13:49:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779384; cv=none; b=UmO5W35CjETp3ly6Jm9uehDlkZOM6x5SRsQtyGFeH9ayhqluSvt5YwknKS/KDnA/jHxA6S7T9w5gYFBHPcI/5/B9LdrwzE0pPnFscRdD3Tv76qeM07UhFc31NvLXtKlOhZ1ml+ChiPBgaY0o9/j50q1TL0Cz9uXqv1bPUXmUjZg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779384; c=relaxed/simple; bh=IPJFO0XuZnfLHj2jRJaHRAXCrTHUnQT5a5JwoEsGCjY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qO8itsJCJ79eAfYdcspuGkjd9kBpzoh5mcTyw5BIv2XB9//+NhQFq3HDumw93FNdPRSNXTEqZYK25kLsSQJ7ZY61ChKYPD+8jNC6sHBe+zdIm9Y4CFqmdweapRxg6FJlxOlp3868OucbkIQUnQsKchBjqcWEBtbMr+sAs7CoYsI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=TK0mLezH; arc=none smtp.client-ip=209.85.128.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TK0mLezH" Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-488b150559bso33734685e9.1 for ; Tue, 21 Apr 2026 06:49:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776779382; x=1777384182; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Bh9fb/N2f0SHfw65j02+jLw0UeHqZ95OWigIzfZAhz0=; b=TK0mLezH9rbyBkTq8h19pZud/nyjT2rUV3ad7iqmTHRvYVfeJELO5z1R/dsiqKlInb qQFoE6XzDYAOxDa/7WsycO03WUYvMa7hZ31tJ25N1Sx7HI2BTIWpVbrhsmlO9epJfQYP jEIphQX6bDGIruSFmyunTSj0U+Zho6qHYVwTWrBmt20+FADVWYNFB2zsYvxgHDvKatQF 2hDHGTc9HBDpd2TBh5pTOacqvTbTiNUPpxWkrUXdpYCIALuCDfFeMWd874jjbS8oKjgw VdwuiOXXEUhZMWGQM4mo+i7IlP+riS+aUCFLY0STIAFVduQKZay9GlsA1lsTyIwmKQ/C 2O1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776779382; x=1777384182; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Bh9fb/N2f0SHfw65j02+jLw0UeHqZ95OWigIzfZAhz0=; b=mzDCgz06TcMFQ5kfRG2tbyhM5RdVdX50V2aIlGjsex7mnQ066+fmSCL8K3T6CsLqtg Kw52goAHB6f9foCdnVjQDbaHDPTqyGW/y2o6LsyudumyvYH0DjeEsx82+8D6z9oP4ZRj SV7Zg2GAu4dBgLxJOe8QbEzKHluX7DK3iSkR0tWLG/Llh7SiPMmoNBLuLsC5+YRuuDCI evqglssjq0EVQ46OeUtY4P6dFMiZCleYekoUUXAVnEGf7v0onCwqEPYi9OhJ99UtKRlB 4J1MNWq/etzSerFYoyqRLYHlTxeS9cxZU8frT6CZqJSdf9i+3mtniiYeV0zMeWiA26cj p86Q== X-Forwarded-Encrypted: i=1; AFNElJ9z9TlN09FerXAfuOTzb+gW9YxcEFB5fKPIUz+iytsK6UkHYCkzMNTA8Vke1QguJ3ndCwPSYu3+KDVx1IQ=@vger.kernel.org X-Gm-Message-State: AOJu0YzPDlkvgfWXHN37TfzvWnL+7WTEcIlaUWz3p4eDjXkXdpKHm0U9 KIVBZ/61HHW5x6E8EKhCMvia11Duk5f9JNT6EYHnd6qvEwQsD4Vq6Kg= X-Gm-Gg: AeBDiesEc/9fK92gLWe01asq35SpJpF4RLAAlDCb1Xrnk4ovhuBaGCKr+2d0qbsLx3g 5JRgjQWIIQKA/YDzdW9OVxfX7zXuonXUWWCWfP0KTTomROsFiqL4b5G9W9fhJ5UwE+eyRXdfJtx CY/gK7BfIFvQ/v6iWNgiKGOr/2Yw+jY6EPXzoNW6hvuEc9smFCXIlvN/ckgSeNF2jnoqDofTh7l WO2q3JZp7+f8+dVpdoxpOgJ1jzFeiDJ6F6e/JybbpDtDW+dA5fH5Ex6XdzlyUNF+z4sabplCcOi E/d0s2MPhm+IvGq4fdrvru/tWUT3NJoHPeqQt7AaFFpmriJtTKX5PhJmfBL4m0tX4EvKuCtYWOa zqCICAmNReO5gbVTnvglShbsmAfrxgvoxeOnvbZK0GrDo7zrkLQ06+1moi1a04roE5469UHNSOs goNDE= X-Received: by 2002:a05:600d:1b:b0:483:8062:b43 with SMTP id 5b1f17b1804b1-488fb771438mr221635435e9.19.1776779381560; Tue, 21 Apr 2026 06:49:41 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fb78becdsm176331185e9.5.2026.04.21.06.49.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Apr 2026 06:49:41 -0700 (PDT) From: Tristan Madani To: Brian Norris Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Tristan Madani Subject: [PATCH v3 1/6] wifi: mwifiex: fix OOB write from firmware queue_index in WMM status response Date: Tue, 21 Apr 2026 13:49:33 +0000 Message-ID: <20260421134938.331334-2-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260421134938.331334-1-tristmd@gmail.com> References: <20260421134938.331334-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The firmware-controlled queue_index (u8) from the WMM queue status TLV is used to index the 4-entry ac_status[] array without validation. An out-of-range value causes out-of-bounds writes of three firmware- controlled bytes into adjacent struct fields. Add a bounds check before using queue_index as an array index. Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex= driver") Signed-off-by: Tristan Madani --- Changes in v3: - Regenerated from wireless-next with proper git format-patch to produce valid index hashes (v2 had post-processed index lines). Changes in v2: - No code changes from v1. drivers/net/wireless/marvell/mwifiex/wmm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/wmm.c b/drivers/net/wirel= ess/marvell/mwifiex/wmm.c index 841505e83c7fd..27e6dedcca2e8 100644 --- a/drivers/net/wireless/marvell/mwifiex/wmm.c +++ b/drivers/net/wireless/marvell/mwifiex/wmm.c @@ -943,6 +943,11 @@ int mwifiex_ret_wmm_get_status(struct mwifiex_private = *priv, tlv_wmm_qstatus->flow_required, tlv_wmm_qstatus->disabled); =20 + + if (tlv_wmm_qstatus->queue_index >=3D + IEEE80211_NUM_ACS) { + break; + } ac_status =3D &priv->wmm.ac_status[tlv_wmm_qstatus-> queue_index]; ac_status->disabled =3D tlv_wmm_qstatus->disabled; --=20 2.47.3 From nobody Wed Jun 17 01:34:24 2026 Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 23F0C3D8134 for ; Tue, 21 Apr 2026 13:49:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779385; cv=none; b=gt8YfzDYUb/SvqOxNxtCYGWKf1CRE0+9iaFrGdPZXLSA5OkAoRUNMs0l4ZZoUkH13GzupUx7GcqFrcOyhVbu8oC9rGjuR+LppBphsG30eqfNT5kg40UpOb4TOoCObaOhryTL8v2nazesKS3P4s4o91EpDgW7ssnmt44jcHDLNAI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779385; c=relaxed/simple; bh=ChiiXRmm3F/dqlY3nOdKNxEUwQSRYRdBuTJ8k4ZPxlk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=RU/4yd7wz6BoV32AXfP6PDUDIY93zmTgXIZxoGu4nWGCeOHAgGs/tTSr5mnhx6yE7B4Jd1dtTWKQuOsyGZvT76iZaVAnJBy+juWS2rOr9h8IkThR1DRWhPYMnezkYWkXJZYzhUlWVTc84ehtAdJhjvtk/MrWEyXYe2DxOr06em8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=he8gNFv2; arc=none smtp.client-ip=209.85.128.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="he8gNFv2" Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-48896199cbaso44026595e9.1 for ; Tue, 21 Apr 2026 06:49:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776779382; x=1777384182; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=m8oE+GpxOD5g4BmvE4XtuDmhQWyIt8yiyOWaNPkQBJo=; b=he8gNFv2Vv+pmtifRFPue3hlqcY9HV3qjdZmwJbuiyUCm1Bn85Ns6jU+Ra2Ta1qTBT mx8RyX/BwnVXtm7BmBjKcohGmVf8cp8hFz+fWWQri3g/yRLfWD2noaI+gtniqxtSRB4M eXoD1XZQjkK3hO1T51+cMqxqPcXkTohJNFhhxCvkTJKCticV0w25H/I2Dw3wof8tZwLi s5tl3KFFV33rMpJbE6OlCN8D+0g9OYX0OM3xvB2uemmXBJfzXAbnmQZJsNzB1B1lsRxJ 3Q19oLcBtm8ISExHGcoLyeLWd1bdg9mrA+4D1wedf3D7DNAc7l2V2k1RN1Lr6eZp6oAk axVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776779382; x=1777384182; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=m8oE+GpxOD5g4BmvE4XtuDmhQWyIt8yiyOWaNPkQBJo=; b=RfMXll6iudBLQ+FpUr8ZfBNzHYtdw5pi8xviVYXRZjLr5+qAdR7ZMoNOa3EypvbgLU 5mWMeoteRb2cZAgtPOgxnrMsRMcGF3i2blTuKxvDOWtXTjsP9Ug1/L4w8nKUAIoco7r+ os9YCISJVRpBUMVzWc3wB4kZ8mzLv/DF5ULAznFvHbqomsEFAIQlOXMsYqgtM0iOfDU0 ebZ82BcY8rhP827gkqNLJX3QDhgwgBP/GekraQaXwKOYhcxcjFzI1xOxaNlGuZt1SPXg PicYznzUvoPjmw2xnAsRmHRsMe+lJtPMIZtWnMpTOXqaNGcJxZH75heidspbn4sIlkZh GLtA== X-Forwarded-Encrypted: i=1; AFNElJ+LsmFyZVBybmhiJGcPGy6ybuDr4mbn6DSJZgy4C3nNcJkXN2x4PtKNiTbJgQikqNkkrANFvmiLgLYgXA4=@vger.kernel.org X-Gm-Message-State: AOJu0YwGSirp571WbP5xmY2UKlPc4lA34NTQgRp4ZBR5IlVKjw3nv8yu 9wKShJ+d/cmZXlU8upjhRAi9/NmBTUsQPwFvEER/q6zdfY/Y7bjMzgt98ym4 X-Gm-Gg: AeBDieukYWi9n0xzQlzB+mIPUMbdz7lcQLJXNuuySHbZiA6ru4mDKN+2s0/hQtxBnTS wQV7K1isqg2efj1hz/zoyoo8gIXl/3UKHPy6hOdmnR7uIC3RZHVaGPf6ik+DkWh9Yw1W1Z9hn7+ hKlLmE2+OsIbOnpjgv2OfFzkv9QWoDsRMQtzDhTcPKz4MOogBBzkO/+yRpNa0zgbfdN82Y1N5C9 4q8ikU4Byp6Twt1eDFugaY3LTxVDNhVTHlbkMsLK9b5EukMreYqcCxThJNMN+yFxyKUf0Jjrx95 UqB0mrlMMNYLvEeWZ2ZPJOWitTU+4a5v+5YCoTYVsu6prERZq6577z/FhJgzo47A2ltH42mUayV o8u+HGojTqQ1g+VAi9nc3WxPx9a3n45gGHMDdK2+NwKXc8BGREB6I8+koN/b7cwDWfpl5it5Y8O jJTdQ= X-Received: by 2002:a05:600c:c090:b0:488:9e54:94c0 with SMTP id 5b1f17b1804b1-488fb74e130mr187796305e9.8.1776779382390; Tue, 21 Apr 2026 06:49:42 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fb78becdsm176331185e9.5.2026.04.21.06.49.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Apr 2026 06:49:41 -0700 (PDT) From: Tristan Madani To: Brian Norris Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Tristan Madani Subject: [PATCH v3 2/6] wifi: mwifiex: fix OOB write from firmware TID in ADDBA response handler Date: Tue, 21 Apr 2026 13:49:34 +0000 Message-ID: <20260421134938.331334-3-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260421134938.331334-1-tristmd@gmail.com> References: <20260421134938.331334-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The TID value extracted from the Block Ack parameter set is a 4-bit field (0-15), but aggr_prio_tbl[] has only 8 entries. A TID >=3D 8 causes an out-of-bounds write to adjacent struct mwifiex_private fields. Add a bounds check after extracting the TID. Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex= driver") Signed-off-by: Tristan Madani Acked-by: Brian Norris --- Changes in v3: - Regenerated from wireless-next with proper git format-patch to produce valid index hashes (v2 had post-processed index lines). Changes in v2: - No code changes from v1. drivers/net/wireless/marvell/mwifiex/11n.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wirel= ess/marvell/mwifiex/11n.c index cef8a55427dd0..5d97bddc71381 100644 --- a/drivers/net/wireless/marvell/mwifiex/11n.c +++ b/drivers/net/wireless/marvell/mwifiex/11n.c @@ -154,6 +154,11 @@ int mwifiex_ret_11n_addba_req(struct mwifiex_private *= priv, tid =3D (block_ack_param_set & IEEE80211_ADDBA_PARAM_TID_MASK) >> BLOCKACKPARAM_TID_POS; =20 + if (tid >=3D MAX_NUM_TID) { + mwifiex_dbg(priv->adapter, ERROR, + "ADDBA RSP: invalid tid %d\n", tid); + return -EINVAL; + } tid_down =3D mwifiex_wmm_downgrade_tid(priv, tid); ra_list =3D mwifiex_wmm_get_ralist_node(priv, tid_down, add_ba_rsp-> peer_mac_addr); --=20 2.47.3 From nobody Wed Jun 17 01:34:24 2026 Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E61AF3D813B for ; Tue, 21 Apr 2026 13:49:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779386; cv=none; b=hqhrHUPvYp2QwUKXLbZh0V9nPaUnYjnSpLMh8Gqub/7kYd5ak+viaukb+vhCZNetrYme0fSARZesC3C/+hLOJOxjkMkKr7K9RGjti2RxodK7Xjat4p9iLfXHf97hE8BGoUFniNhyDF/CPdNKbP74+gjyyyVSx1IcdaI5pTwXqAE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779386; c=relaxed/simple; bh=c/bZxv6gDBXjU9aT8y6UhmuhShqHpL/bUDIqZjpYfmQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mVWfbyc9wsVKVXaP84B0MHieFDF11SnV5GV9XAIHeIXWR+pJR5S6dfKJE8sZdoQtzX35UHr6x9qwgTp5PuNxNvi99e5arNfPF1XZTx4NF0uHQ+DUJq1BnOeg+VCQuoVRLgos1JDwWIWruHPe3qxUH8bDFm67UeOySpTN2gTkiSM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=F40g/40P; arc=none smtp.client-ip=209.85.128.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="F40g/40P" Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-4891e86fabeso28012225e9.1 for ; Tue, 21 Apr 2026 06:49:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776779383; x=1777384183; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Q0zzfI2rQEV+jXiB+O0qtXX4eVvaANJECW9EykocPFs=; b=F40g/40PUbYT/5iR7MZSbfAR2SlITnGi5Mg8JsfiRrigdQyH54LEvzfYC8RjqBdkXa zA1AKm3ZMrjfPBFaq67q4YpNlEGdNMdn6gY2xxf997Iw1G99ap+oIM50srk9kPDSXAFG FQtjXQS7j8HLqhPNwEZAum47aTwLyAJfS9fQO6Xb5tCRSOXVTlTOhCZT0pzuEyy0RIdF 2D3Enw4Rt+aQXTe31UclsGzPPjwK+vHnfS4t1QfhISPH0ZL9+SHxouBdFhRDU0h2JvUk ZASNcYsDi9/IKjhn5QMvMMXKOD8nQ1ZSsde33ozePU4XkgMdcSH2jNFH2iC9lLBGlINV zteQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776779383; x=1777384183; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Q0zzfI2rQEV+jXiB+O0qtXX4eVvaANJECW9EykocPFs=; b=KYGuOrVAIwPL0Id4Z1vGRdK6u9d8hUtUCZRIUH5X8ejFzYMCONNd1kgncXpd7oWM7s pljJbdMRqyR824v2NFjAgwBKi8hOHCzPxPC8l7MscsaDdZS4wXUHLcav/5+jjOllqjbl mtK6QfTXkKQm1tSvz3aAc/uvvTwsmNxYeSPIPZo7VUkO37ll1An8ebQkGIneP1cmhp9X yD8eMa4TfPwNFICFtGJvjVVeq9fyf+UvnGy3bpf/evjdT3ZzOkZzAj13d6cRXvhAVL+h +cVXqaj9p1LiLVLa4q3BJYO/m0g6ubqxoFNa68dqt5pnVayXazTcgL0ddOkFhfHEiIgk U38A== X-Forwarded-Encrypted: i=1; AFNElJ/PwcyiT2FVVhQcj2Ua8fJ/JXtXDVyH6zcv+2szzKuI3TPVMX3fuZaRynw2fNHp3I2iIWq/I6pExPOp5pI=@vger.kernel.org X-Gm-Message-State: AOJu0YxPh6S9y1vYbQBvMlw7o0NPTH2tyrqAR7JZtVVDSfn5vtZVnzNU c8P+WWkAR5wQ60p8DdTi3REkzOFZtMiFJ3OIilvU3exR2teDPJOyo68= X-Gm-Gg: AeBDietEDpIhbKziI06mhCGwLVr2gb68mowL1LCEgZPuZ4ibbRBW2gK2oEXwsTAVFOg goLMWlQzaU5oVdjBPuNGk620Qq+WfrsN+dX7sPSCSaa8YG3v9bMqN7wgAcGbUiDXD/pryeLj1ld Tle/bX7GqDRilcKw04l3NzACmnFag4i+QdHRzFkLrtb7BPdI54EpGQnnAAsaRVH/INr08AJa63H CCPHw6Kjo1lHEnnQjUux9/l8uyuyhg8yR8QZdrt9rvSCSyc+cgX9uivSJegT3lioSFrgjaJBfF4 F3aWd0SmAWrSUuv349AS38ovcJ1K34BDk1ISIc9rufgp0eRTNGiaxv25KyBO6BnXM/BaBuUc2cJ CbfSlONy7hO+ORefD6v7NWcW7+u8zG/tjeBObHiT/uVcJ+QqqmBgnIZIYt0/ewJVJ+hEsL99aCZ g38b0= X-Received: by 2002:a05:600c:c177:b0:488:a82f:bba9 with SMTP id 5b1f17b1804b1-488fb7804f3mr246600625e9.22.1776779383165; Tue, 21 Apr 2026 06:49:43 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fb78becdsm176331185e9.5.2026.04.21.06.49.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Apr 2026 06:49:42 -0700 (PDT) From: Tristan Madani To: Brian Norris Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Tristan Madani Subject: [PATCH v3 3/6] wifi: mwifiex: fix OOB read from firmware sta_count in station list response Date: Tue, 21 Apr 2026 13:49:35 +0000 Message-ID: <20260421134938.331334-4-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260421134938.331334-1-tristmd@gmail.com> References: <20260421134938.331334-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The firmware-controlled sta_count (u16) is used as an unbounded loop counter for iterating station info entries. An inflated count drives reads past the response buffer into kernel heap memory. Add a check that sta_count fits within the response size. Fixes: b21783e94e20 ("mwifiex: add sta_list firmware command") Signed-off-by: Tristan Madani Acked-by: Brian Norris --- Changes in v3: - Regenerated from wireless-next with proper git format-patch to produce valid index hashes (v2 had post-processed index lines). Changes in v2: - No code changes from v1. drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/n= et/wireless/marvell/mwifiex/sta_cmdresp.c index 85512f526c5f2..4cf654046c6ae 100644 --- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c @@ -976,8 +976,16 @@ static int mwifiex_ret_uap_sta_list(struct mwifiex_pri= vate *priv, struct mwifiex_ie_types_sta_info *sta_info =3D (void *)&sta_list->tlv; int i; struct mwifiex_sta_node *sta_node; + u16 resp_size =3D le16_to_cpu(resp->size); + u16 count =3D le16_to_cpu(sta_list->sta_count); + u16 max_count; =20 - for (i =3D 0; i < (le16_to_cpu(sta_list->sta_count)); i++) { + if (resp_size < sizeof(*resp) - sizeof(resp->params) + sizeof(*sta_list)) + return -EINVAL; + max_count =3D (resp_size - sizeof(*resp) + sizeof(resp->params) - + sizeof(*sta_list)) / sizeof(*sta_info); + count =3D min(count, max_count); + for (i =3D 0; i < count; i++) { sta_node =3D mwifiex_get_sta_entry(priv, sta_info->mac); if (unlikely(!sta_node)) continue; --=20 2.47.3 From nobody Wed Jun 17 01:34:24 2026 Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D2DA02D7D2E for ; Tue, 21 Apr 2026 13:49:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779387; cv=none; b=SoiLuUNM1QxQhvi7tJ3evz8AKGTKc37LmjxARpJY5nAojCiwnL5DCe2oDsfgRhq29ToC9jlWITgIMfGgSZQYDOr4GUOuiwTA4hHlcC6jzhDe/+BPe5WgmNR8mUgk6pKSkHJ/zKN+JzBGgAIYhnStZk8uK3YH2y8fV/CuSAFm+FQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779387; c=relaxed/simple; bh=nolTxCBP9FHfSuvQ5EW7BS+a9LX6BS4H4Xj49Lp7QtE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Ep1F4V8IKJpjk3U00UfSpwV8Rs/c2XQm7BQwqdVJkh+fUlLM/fIfkEt0p79dQW8DsxAo2EK1b0fICrEDY5pRPcTNHQDMX+o9A7UP1zvTqWlQGlX54PVsxkWvmVX50vhp92FDtoqI2iRjSSl0D2HY1QuHvCP4FNcYtcP9Wt/C/kQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LcFV7ufZ; arc=none smtp.client-ip=209.85.128.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LcFV7ufZ" Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-488ad135063so35992325e9.0 for ; Tue, 21 Apr 2026 06:49:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776779384; x=1777384184; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=UmFFDwy/wNWvl65UK2Lm+vY44R4kAs7LOrPcVbInZDM=; b=LcFV7ufZb0Qujuvu3eoK0wwlJuWDjZU9vx67qeThkfAjBi1uL4hLNIRvKDBxtjnkgS OELAruPAlEqNlfgbtv21dNzwxixB4+nxIlVjARCiLOAZIR11JapqIz4Z6EXJu+uBUMwN Vy9pzeYWH+5uiKzro9XJPFKYfBdxkO08htSDSg6cy//gXUndR4JVjc8pYtbJtkmGZMDS d93Sg+RpCjOALZ5z+jpkBl0QrdSGbJsF3moC39cvwJibTKMTlmtgF8Te4eqbNi+6/BT3 KuuashncCl+5KJ4nJfBZusuTVNvLg6PkGVc+DAzNhL9DY3cU/MCLvI/JalN0bENwnhxa uqyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776779384; x=1777384184; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=UmFFDwy/wNWvl65UK2Lm+vY44R4kAs7LOrPcVbInZDM=; b=lFHovLjn+FA+s7t1Y4Awvsc/SXp42aDO9szcISWV9aEpeJ9U9wOz1CYjysHIEPIGlu iFthxTXgZT0iD3A8Y88M/twSCBc9rOD6VmZCkg+kHRAejEZM87R8ORYI0oG3elVqgUqF HYzRL+k3jqd0GTLWrSFgThqBfh/V70uYyOI5AdqvfdzdnWqMJ0sl/zYKgJgXGuxGFige mSUL9YoHiMUsciQEniMvPsP0nxMR82lYuSlxJd0uOa9owfuVwoGWh2LjBd8/7vbtqhR6 DQOeZCL6VhfgiW3s2n/7lgQHdAOxejVBboA4c3LJgCm2wfyv7Qo9k1xP0K2BeoZrFjwW GdPA== X-Forwarded-Encrypted: i=1; AFNElJ+GXzdLfD4KQ+me7gNuIFs/gKj1SX5tTsL3PuZmXSgkPmMVh+ZM8JohFdR4QaP7jqfSkw+SK4qwSML/UoI=@vger.kernel.org X-Gm-Message-State: AOJu0YxXX2slWBQgYhCl12zZrwAo0CE2MXfG3vJqpYkjfdCkbUs0edV3 aaL4gHcKnc83moq5u9I/v5LMZoEn4Xd5hdmQwDnEkXotNa4Nw35jv0w= X-Gm-Gg: AeBDiesQ9NAFCSRFnNPV1vDR+dqU4uToc2ZuXRfvI3Dk4HMkfxefKcOUXu68/Nn6OSe oTdHJWFr78Mlwk2sawIt7FTJwie16l1ij01gyOVMnp1+pbynSPTPQoUfcfRE7zCiuKnDQ8tTWcK qcBXQmdMJf1XVsb7rEZI0kougI8TP8CdjeKNHi5RiElbQjCiOuFFRr6n3xDFwXJnUTTJC+mRjTt 6jv3ckpoYL0yXR8JVHUFPIpPRTaI3HOVpT2aivUXrTcCKU9yuwnTHeMtRgd3XHQ2OPlGDMVCeT0 Yto+0iIk8/gJBI0oad+hWeZPQv4ajX9rjGXpu4GEqXSUMtfLyFB6SLtoUekbiL0scuF1Avwx+/m 6HBi0S6+MwRay5daoook6i9xd5oDZ0mjIywh7TkFtTzyhavbvnMDC/r5Nyk3ecv8DuOB8UhjoDb CEwIU= X-Received: by 2002:a05:600c:8909:b0:489:1b10:d896 with SMTP id 5b1f17b1804b1-4891b10dd45mr124444525e9.0.1776779383993; Tue, 21 Apr 2026 06:49:43 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fb78becdsm176331185e9.5.2026.04.21.06.49.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Apr 2026 06:49:43 -0700 (PDT) From: Tristan Madani To: Brian Norris Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Tristan Madani Subject: [PATCH v3 4/6] wifi: mwifiex: fix OOB read in scan response from mismatched TLV data sizes Date: Tue, 21 Apr 2026 13:49:36 +0000 Message-ID: <20260421134938.331334-5-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260421134938.331334-1-tristmd@gmail.com> References: <20260421134938.331334-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The TSF and ChanBand TLV arrays are indexed by the firmware-controlled number_of_sets without cross-checking against the TLV header length fields. When number_of_sets exceeds the TLV data, the loop reads past the TLV data into adjacent command response memory. Stop using the TLV data once the index exceeds its reported length. Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex= driver") Signed-off-by: Tristan Madani Acked-by: Brian Norris --- Changes in v3: - Regenerated from wireless-next with proper git format-patch to produce valid index hashes (v2 had post-processed index lines). Changes in v2: - No code changes from v1. drivers/net/wireless/marvell/mwifiex/scan.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wire= less/marvell/mwifiex/scan.c index 97c0ec3b822e7..059215c86dffd 100644 --- a/drivers/net/wireless/marvell/mwifiex/scan.c +++ b/drivers/net/wireless/marvell/mwifiex/scan.c @@ -2187,10 +2187,13 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private = *priv, * received. */ if (tsf_tlv) - memcpy(&fw_tsf, &tsf_tlv->tsf_data[idx * TSF_DATA_SIZE], - sizeof(fw_tsf)); + if ((idx + 1) * TSF_DATA_SIZE <=3D + le16_to_cpu(tsf_tlv->header.len)) + memcpy(&fw_tsf, &tsf_tlv->tsf_data[idx * TSF_DATA_SIZE], + sizeof(fw_tsf)); =20 - if (chan_band_tlv) { + if (chan_band_tlv && (idx + 1) * sizeof(*chan_band) <=3D + le16_to_cpu(chan_band_tlv->header.len)) { chan_band =3D &chan_band_tlv->chan_band_param[idx]; radio_type =3D &chan_band->radio_type; } else { --=20 2.47.3 From nobody Wed Jun 17 01:34:24 2026 Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E1143D9DDE for ; Tue, 21 Apr 2026 13:49:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779389; cv=none; b=DhxEjqUv4BRYpH7R3VacE40TADkY5RzxQBDwSO0rXtZOgtjoPLGgzAM5nHjQXTPbc+6pamIHVVMT6a4iocYJZtEReiKIgpyr4rA4UYj1ZZVMWjW88M2a5JkxaZFicpFRiudktaXRFVc0b+zhn7fZah1AzMdbCtUFdRiXkPz9WlI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779389; c=relaxed/simple; bh=INhCOGEytU7a+wIFlmBr/Bv85nBMhudD8oEAg1G10Ew=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=eiBB49qpLzzveAdkjKJe88hHXZnJCFvl7xUkY79wODzC7N4vU+panWDkBfTHYTl81BDKmlDwnaFpd02VXjofgPksP3WgIiur2T40RUVYSB8V74n7L+6y8/P9vJs+L48Z64KtIfD2FOR8MmTfRBh0rVuaJTJjs/mdyKcyYPZmGp0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=sveQIkXU; arc=none smtp.client-ip=209.85.128.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="sveQIkXU" Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-48334ee0aeaso43565055e9.1 for ; Tue, 21 Apr 2026 06:49:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776779386; x=1777384186; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wFXIqjjIh6B86ukYOT7ztZRXCgjpoe9+bdEteficNBU=; b=sveQIkXUAUyGQrBJFx183yifE/CennLIUH8KLqcjczMRl++E4LxKJw84MhT2cUQAGn Yqt7BRwi6AyfxvBSICv9BCm+aDkW5uRCMC7zygoM+Pfe1IM23xjNCnpRkD4iPlDvGrpw 7SUU5SkDC1wPDmAM5koYrktjPFYfs3XVE09dm1dpJ7n3tmcprrvC22UqkBisrFE40xxL ue7Ilm+7uGstDDHYEeUh70bC9At00iMfcbzbk/63Dz2NxuK+j46Z5R6wfwp9gScNZlPz UK3XaHWAugikMexgHiuYCmFf0Uzm4R0eUg6PVAuIl5FeepFZ/0xeC5CQYBv+qLfmRy8z H4vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776779386; x=1777384186; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=wFXIqjjIh6B86ukYOT7ztZRXCgjpoe9+bdEteficNBU=; b=neO6yDsufToC2Iu+aA7JU7jVrascqXmpkR77vomxpGZUj7d3im5vOyE1lVcSxkFAIM uFeMUgX+83p6D4n8teU9AIWf1ucrWnK8TJLpxQD9jyBZi2qZdaFaCxDbyUVsbFfaJraL 87WpKYsQKIyBCJ7wOBtdAYkvvQjH87v22g4SvWndC6lz+hd8sJh3bSLcig9sBtHjRlQy N9/7ci7XiTQhR4DwMShy0Qe8hsFlJpkg4OacuFaibqHhnzjJssx+0S3tRwu1LPZIl8FX En/uM7ItRnk4kYvoFg6ES872cwkbhkTWidoy29HTXL+8SrrAVQlnz0kDgqMVxPb775Gw azzw== X-Forwarded-Encrypted: i=1; AFNElJ+kyzrktd2IUGnfISxq+oxpbgJ//kxYkiKktZXLUjq2PlBPrI92PkA1iADW37jBC5oyS4us7SLDqta62oo=@vger.kernel.org X-Gm-Message-State: AOJu0YxtUd6j/apDyYqw3OguB+JYqPs0Twi3RL19OrKyuk2MH++bFUYa wVv6dpeST53edaOlbytyvcrjBKh/Soiqw6wtjbBtHnFSfot7P6Z+YQ8= X-Gm-Gg: AeBDietY/AawQ2C1F//Fgy14ZU88sWCezVBf7D7HMTGg80xESnL0mJDQaG/MpoisJdw 52VvYBBP5k7mo8M8x7e0JKiVe99R4MNugLWFKKxYY/BYVOGbEpCXA7RnVcO2w5QSuhvS7WxRb38 MsMEZKBEdeQG3SaSNWASlX7vXCF3uURxDA9dV7b+ITGuirrZz3RMAmcsxiZYb27TG7S89D/mA7r 3BO6ChQgJoC/4vq2Ux8zMKDi1R8oVUMLb9OleC7TdJJvH2P9XMWJN41NJbYbwcZKi5/ZMjoqQWe Kz3rh/wqxnTZXAR8q+uNPtQDnKc9Hy55WM6DyWd6ezYNFcmZfJ4jA0v0XHJdg9x269CrpjSVzEk QgqBYpA00+SPgwLmO9ogzRvom/BI4jwhrLWwnJAeqlIp4A2KkgN5/kczbuP58SN+3MRVpesbZP/ C+I1Y= X-Received: by 2002:a05:600c:1da1:b0:488:d376:42cd with SMTP id 5b1f17b1804b1-488fb785901mr290755475e9.22.1776779385831; Tue, 21 Apr 2026 06:49:45 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fb78becdsm176331185e9.5.2026.04.21.06.49.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Apr 2026 06:49:45 -0700 (PDT) From: Tristan Madani To: Brian Norris Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Tristan Madani Subject: [PATCH v3 5/6] wifi: mwifiex: fix OOB read from firmware intf_num in multichannel event Date: Tue, 21 Apr 2026 13:49:37 +0000 Message-ID: <20260421134938.331334-6-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260421134938.331334-1-tristmd@gmail.com> References: <20260421134938.331334-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The firmware-controlled intf_num is used to iterate the flexible array bss_type_numlist[] without checking it against the TLV data length. An inflated value causes out-of-bounds reads past the TLV data. Clamp intf_num to the available TLV data. Fixes: 8d6b538a5eac ("mwifiex: handle multichannel event") Signed-off-by: Tristan Madani --- Changes in v3: - Regenerated from wireless-next with proper git format-patch to produce valid index hashes (v2 had post-processed index lines). Changes in v2: - No code changes from v1. drivers/net/wireless/marvell/mwifiex/sta_event.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/sta_event.c b/drivers/net= /wireless/marvell/mwifiex/sta_event.c index fecd88967ceb8..6b7e5b6a66a9e 100644 --- a/drivers/net/wireless/marvell/mwifiex/sta_event.c +++ b/drivers/net/wireless/marvell/mwifiex/sta_event.c @@ -450,6 +450,14 @@ void mwifiex_process_multi_chan_event(struct mwifiex_p= rivate *priv, =20 grp_info =3D (struct mwifiex_ie_types_mc_group_info *)tlv; intf_num =3D grp_info->intf_num; + { + u16 fixed_len =3D sizeof(*grp_info) - + sizeof(grp_info->header); + if (tlv_len < fixed_len || + intf_num > tlv_len - fixed_len) + intf_num =3D 0; + } + for (i =3D 0; i < intf_num; i++) { bss_type =3D grp_info->bss_type_numlist[i] >> 4; bss_num =3D grp_info->bss_type_numlist[i] & BSS_NUM_MASK; --=20 2.47.3 From nobody Wed Jun 17 01:34:24 2026 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 64CE33DA5CB for ; Tue, 21 Apr 2026 13:49:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779389; cv=none; b=cDBGp3CxErGDalQyITpSsIHhWT9WbnzBCy07PaIwFyCqUak9bVc2I/5RVconDHnbgLleJgzi6Db9frP4bn0wmkbs/do7YcRZbbftf/+6sg1BVo7eqHnY71v3Vo9/6N1dOkaWyA5Pn5F/C128ZrmnSMC8aZXBR8Sk0SguRaz74nA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779389; c=relaxed/simple; bh=a5NBwQv5LMV+9Kb4W5G1y1GUXaJ6t690TRMAnkk0mVU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qnDDwlimQN6LGj8l7lXYm/d4a+NjE2I9UiQN49KWnddzVLlqj0/TXCLDHr+Kv3Yt0dxYEb7y+xCPQo93RtkStIUl7a+0Ik5evHAtQrAeHBmDxKzpuYfC/SLr5HSKrXR6Ep9z9KC4j/Jn5MrrGH1Vb1E9y7s+YbRE8IHvJ7jxe7M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=p3GZpOE8; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="p3GZpOE8" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-4891f625344so24052675e9.0 for ; Tue, 21 Apr 2026 06:49:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776779387; x=1777384187; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=K1hC026h1vy1ZTTQW482Pu6t5gVmuKxAEh8/9v5mxEQ=; b=p3GZpOE82dqrrvenMpT/noTCJ+biVPk3nIfJnkQY1+DE6UaYGacr7j34u3dcpbFDXo A+CSskDu4mHGvAGyNIFJHYkAt80AkjdIK7mWGljMcildMM1cneHJJhV1Fdqzhjt463pB d3R3IPnD9qzmsd1sNlXvSBleJidMBXn5PBnaCNX5976ZXah3yepV9vqsSiBSRhVxSzKV fTAyL64XxgXOX1iHR+n6opPbAGIXUwK5jS6/uGKX8MSkPnlxEg/p1x5/5tiLAqCSb1Hf lDKupolV/E0WQEClQLetJfQzO44vWSd8wLwFCXdyyyuk0BKA6CsMeu1sWLB/pWhFQY22 oQPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776779387; x=1777384187; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=K1hC026h1vy1ZTTQW482Pu6t5gVmuKxAEh8/9v5mxEQ=; b=jWmU0pT4fzL3OgZ0QB+vZIcR0egb6vxTb1NvD1eb+Lv70DkMmrdD/oU4nobB1bGyc3 vRVYNlLZk02U5LcV/uV37uiFVZk38TAVFBPP8rwjGqlZ8ch8sILVGfvI/5/8HZvi+TQ/ HAmE4BlzgVXIKLQZ6y7gmsFYomQa9xkrsds2Y9Wv08OdCl+swCG8kQR0WC8A4+4P225o XGEn0A9jbfxKLe0Rc9QWh/id/Mw1ty0IQuENANYNbuTInNW5xiLY/U8wlJ/FWLbEz724 2T1b27PqUSKpLzDi5eWj0G3ISFusJODO0+8FrrVOW8FonoLOHXq12JwQTr3JrEUpgXK0 bcwA== X-Forwarded-Encrypted: i=1; AFNElJ8pXI2YdItE6iTRzYPBOknDu3CesO0v/BvZ7PoZYnu/0mjOLgGAWUbJAhrFsKE62O//KbNwHZyLUGcp9Ww=@vger.kernel.org X-Gm-Message-State: AOJu0YyhnI8TPul2gg8RMInAlad9GSfy7fqvOBRDwyefTmC7o4MLKfx6 nlR9jHVK9NSf12GCIJXgidGtdu4QKFLWpMFvPe8jBdiiETq1qeauXIgDebut X-Gm-Gg: AeBDietfYHEc8NMA1KMUdwvVIgl7idJCSgO7WUJE0H3z24ka9tAjzF1v9wxTA/9+JWa vgraBHxbpiVJjRnnlKbl4WulVFcgJE4wJNbSKDoPuQY9P1lmYOU2nbFdUrYqAVjAMz+Jw3yW87x PQ7qM4Gftph3Yu7S4UCPNvjMPGA5DKY9ixNfbJnp/okHbYBAU2bU8FSrF2rmkPSuWGZ1UlzxGp0 pfyxSOFNr61oRithWsLvFoT2MxIoXym0ZQ3khzDyHjgIlhVnlwO5Eo+pJv3XXsEOAlg/F4tIY/M GjtUXJ+HRwSnlCu9uitQZckaHfnAdYXCCgJ7TtNUsmjLXMkWPefUrNCH8U1nRmGVhk8o19OYTJl 8V9TMS9XA/hTPYJUMFQ0dSxpkUe2wy3s8ILOYOgRnzvbjI5QWptCebiIu5nGUONNVCR8nogAAs8 7vUQg= X-Received: by 2002:a05:600c:870e:b0:488:aa33:dc8f with SMTP id 5b1f17b1804b1-488fb84ffb8mr248676515e9.0.1776779386728; Tue, 21 Apr 2026 06:49:46 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fb78becdsm176331185e9.5.2026.04.21.06.49.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Apr 2026 06:49:46 -0700 (PDT) From: Tristan Madani To: Brian Norris Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Tristan Madani Subject: [PATCH v3 6/6] wifi: mwifiex: fix OOB read from inflated TLV length in IBSS peer event Date: Tue, 21 Apr 2026 13:49:38 +0000 Message-ID: <20260421134938.331334-7-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260421134938.331334-1-tristmd@gmail.com> References: <20260421134938.331334-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The IBSS connected handler replaces the buffer-bounded evt_len with the firmware-controlled TLV header length. An inflated value drives the IE parsing loop past the event buffer into adjacent kernel heap memory. Cap the TLV-derived length at the remaining event data size. Fixes: 432da7d243da ("mwifiex: add HT aggregation support for adhoc mode") Signed-off-by: Tristan Madani --- Changes in v3: - Regenerated from wireless-next with proper git format-patch to produce valid index hashes (v2 had post-processed index lines). Changes in v2: - No code changes from v1. drivers/net/wireless/marvell/mwifiex/sta_event.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/sta_event.c b/drivers/net= /wireless/marvell/mwifiex/sta_event.c index 6b7e5b6a66a9e..62a879c09106e 100644 --- a/drivers/net/wireless/marvell/mwifiex/sta_event.c +++ b/drivers/net/wireless/marvell/mwifiex/sta_event.c @@ -45,6 +45,10 @@ static int mwifiex_check_ibss_peer_capabilities(struct m= wifiex_private *priv, */ evt_len =3D le16_to_cpu(tlv_mgmt_frame->header.len); curr +=3D (sizeof(*tlv_mgmt_frame) + 12); + if (evt_len > event->len - + (curr - event->data)) + evt_len =3D event->len - + (curr - event->data); } else { mwifiex_dbg(priv->adapter, MSG, "management frame tlv not found!\n"); --=20 2.47.3