From nobody Fri Jun 12 11:08:13 2026 Received: from mail-qt1-f181.google.com (mail-qt1-f181.google.com [209.85.160.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A2DC747DFA7 for ; Fri, 15 May 2026 12:12:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778847148; cv=none; b=pLsxQh0vVXvkm79mGZLbilnx1GkIDO6Vd88jL0maKYB4qnG5CxIW66iDN7jivSZyFEGBUwO7QRMNCqbAJIQJqFBPgIGJczUZFw3JBbrW2AFTbAahIPgh6njrAYpLDJXtkOnBYW+K00ynuKHLXzV7XQDiaHyfdxBsh1dgH8FMuV8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778847148; c=relaxed/simple; bh=RRVW5gI8kawSQB508g7+8wnVnUFJGZvy97oFovd7pBM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=da0CYudwiotY9B+QGyXS4BfVHjkyK88FmO1k3PblUbb9AYukZS4LgrbqY6TXSEFUyFiYE63Wsx5rrypjDD6qP4YtsSZwqhyu+Fhu0gDob0RE1lty8RX7sVO9xjijvq4ZlZpnRsENRz9luHuMZcpDggzHdlMUSKZ/yljHZoj/+G0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LIHGvpqn; arc=none smtp.client-ip=209.85.160.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LIHGvpqn" Received: by mail-qt1-f181.google.com with SMTP id d75a77b69052e-50e5c5033f6so63092021cf.0 for ; Fri, 15 May 2026 05:12:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778847146; x=1779451946; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=IvLacU45+J5otIy9HSslIl+VuECz8126ekDqH8/sPwE=; b=LIHGvpqnEZYI0rFG8HaVqjjhJp83KSdV86SZ5tIC+4LUUBVzVXOnkVDkSE3jxoKzpV MCkJ3pyawuxQq8Rt2vxEp+BdIk/IHp4+ckhSwz5irJmAzUkpXmhepbswWh9pa4BIm5VE 7oWX21/H3shZahCtHO4Ee2b9wo2lWerofaag1NOc7mHoe0C3Gn5FjUueO2oEHh/J+Hmi Ft3rfABNHbHJ/d1F0NkB99Y7HdkL7NzeDUFLnSRci5Kb4+KgZ4tDnTHreYViHTIuc5sZ Jeeo7ZFOidBs7btO3C4eNoxLpl1c3kMJYWXB6Ct7U1D8RSpmhYuv4TDdulaLIWtjbZjM t4Jw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778847146; x=1779451946; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=IvLacU45+J5otIy9HSslIl+VuECz8126ekDqH8/sPwE=; b=V4QDkbu9xeiV7YPAD1dsupnWaTRxpi2Q27DkQ99LweKs+NjmRI+HCYKkCsTcmUEKV9 fHQfgkbkfiJuCYy/JYe/2QST3WZ5+O6wRB7Cfk4mqT/jRnPVuzeJvL5qUqmVLilhoimR 3hrC/1BIEzQflHEKxokp7vDtcLtkdcqjQBagj7qpR9lF41SAN7GLBWftuWXGBHGEsFnZ 4hi+WmxH0wBUZl0MbGqrUDQUKj26ZJ/5uP+iyrClnFq6tVlQg1H7DP3tRBTj/ssSsDK7 qNVU/qhfk629I+8c/KRwt+8DZzTLEefNm6pgackBEdVcfaydMjXAJhxSD+7Ft1hrw1lV jSog== X-Forwarded-Encrypted: i=1; AFNElJ9b+yW/eWOJyfMWEqY5V2aGygEX4H2HFaknXIswExZfP8HnIpC0zXXDU2sBe9Xs6/X6hNOcpkZYkK2hAfQ=@vger.kernel.org X-Gm-Message-State: AOJu0YxDDImJXSOHuo3o8iu1yn3rLSFqT/f+2DncwQlEsUiANUWrxPEq zU14nM3zqEhh7V400zeHKyQt+ZVHwtCpBLmM9WPBNA+1NUa8mCvlTza3 X-Gm-Gg: Acq92OE/xsMLMxCan+79FzweM0mH6CusZqhTH6bTKvAhYmJrXgCCDUKt/wnScF/nLLx nIXzxOwMwK8odxUv2GotNG4DGr0UDknoweVOtOc766ZPy8k1loKn5Gc1ztVKKlTTFYSz7TrUNRl CKe/V+jsf5exMZ2PA/eCsMF1R/spLPtu1urVJFuaGRDtMxJ0e/jJbkufwQUmlF07y6Ykzr2nc6c BbO/G0t/WjR+yLLVnLemnTQBtdjhuv/R0XoimMguQUmso6W+X+8lzUqhdKWqdkG4aID3qxHh0Yz Rbmbbuf03xd+8z0JZvVUsEc6Z+sc1d7j0ObOGhSrjRjNYEpujeRTIQbLFFWsgdJa5Z6hVGiUtHt 9Lkx0JV0Wh1iDXthST1rpNL5S5tI3UQ4XZzx+GPop8zfUiXCWkjAXd6dLMmTGf/04gr1RNylyrD vHw2F+2+8ZmLE7p/6hXZmSFO3R8AMWeUCLUHgNtud84e7lkvCPhMU5JCaETRbL7ONKP60R0iRWu QtJmxO9fvuKrsUlhJgedLgao1rwzmaqImSB5BuG9R4VdVB17eqcOQ== X-Received: by 2002:ac8:6909:0:b0:50d:a8f5:1c03 with SMTP id d75a77b69052e-5165a0072f3mr49262241cf.4.1778847145586; Fri, 15 May 2026 05:12:25 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-516456888f6sm45534491cf.3.2026.05.15.05.12.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 May 2026 05:12:25 -0700 (PDT) From: Michael Bommarito To: Miri Korenblit Cc: Johannes Berg , Emmanuel Grumbach , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 1/4] wifi: iwlwifi: mvm: include matches_len in scan-offload-query length check Date: Fri, 15 May 2026 08:10:57 -0400 Message-ID: <20260515121100.649334-2-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260515121100.649334-1-michael.bommarito@gmail.com> References: <20260515121100.649334-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" iwl_mvm_netdetect_query_results() validates the firmware response length against query_len (the fixed-header size of struct iwl_scan_offload_match_info or iwl_scan_offload_profiles_query_v1) but immediately follows with: memcpy(results->matches, query->matches, matches_len); where matches_len is sizeof(struct iwl_scan_offload_profile_match[_v1]) * iwl_umac_scan_get_max_profiles(mvm->fw) and is not included in the guard. A firmware response of exactly query_len bytes therefore satisfies the guard yet the memcpy reads matches_len bytes past the end of the slab-allocated firmware-response buffer. The worst-case extent depends on the firmware path: - v2 layout, SCAN_OFFLOAD_UPDATE_PROFILES_CMD version unknown or < 3: matches_len =3D 18 * IWL_SCAN_MAX_PROFILES =3D 198 bytes. - v2 layout, command version >=3D 3: matches_len =3D 18 * IWL_SCAN_MAX_PROFILES_V2 =3D 144 bytes. - v1 layout: matches_len =3D 16 * IWL_SCAN_MAX_PROFILES =3D 176 bytes. Reproduced under UML+KASAN via a KUnit harness that lifts the length-validation + memcpy logic into a self-contained test. With the response sized at the v2 query_len (24 bytes of match-info header) and the older-firmware max_profiles path, KASAN reports a slab-out-of-bounds READ of 198 bytes at 0 bytes to the right of a 24-byte allocation in the kmalloc-32 cache. Building drivers/net/wireless/intel/iwlwifi/mvm/d3.o under x86_64 allmodconfig with the fix applied yields no new warnings. The sibling fix iwl_mvm_nd_match_info_handler() was corrected by commit 744fabc338e8 ("wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()"). The present function was missed during that audit; apply the same correction shape. Cc: stable@vger.kernel.org Fixes: e4fe5d4b10cd ("iwlwifi: mvm: Support new format of SCAN_OFFLOAD_PROF= ILES_QUERY_RSP") Signed-off-by: Michael Bommarito Assisted-by: Claude:claude-opus-4-7 --- drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wire= less/intel/iwlwifi/mvm/d3.c index 9a74f60c9185..c17ac62feec3 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c @@ -2458,7 +2458,7 @@ iwl_mvm_netdetect_query_results(struct iwl_mvm *mvm, } =20 len =3D iwl_rx_packet_payload_len(cmd.resp_pkt); - if (len < query_len) { + if (len < query_len + matches_len) { IWL_ERR(mvm, "Invalid scan offload profiles query response!\n"); ret =3D -EIO; goto out_free_resp; --=20 2.53.0 From nobody Fri Jun 12 11:08:13 2026 Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com [209.85.219.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 84D4347ECC6 for ; Fri, 15 May 2026 12:12:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778847149; cv=none; b=Rz4xTaZ8y6B88QhW5ZWRkwBPu8YECzEAODv/LVckjd/mp9l4jNWKkz9iQGLKq+WLv1bUVTqvkVaqXWcau5NidD5n4oukEBrzbhVVZKB5hm7rzwwn4q+/qCTy3cJ1OMcyG/GgysfVTT45eiKRKUx7dyrzu+HAVqPzgeh2H3cIVRY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778847149; c=relaxed/simple; bh=nHcMBK6wG0TOu22YqkQZEX4prF+OO2NceKdzMNQ1dEA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WHkFtTtJOCh0BCCY28ybXMd6QeobABDznlWvZmyVm6I8s74QNkNxt6eXePTKU2MMplr9NLcqxqPggC30eRBkfzDTopzBJv2qEY34KjaXRyY90xIifSTcLCWA5hH9Q4scRYteGlTRhBhVFJ5AktKp8ctyt0UiPJHAvZzgmZNuCbU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=C48BC3qt; arc=none smtp.client-ip=209.85.219.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="C48BC3qt" Received: by mail-qv1-f46.google.com with SMTP id 6a1803df08f44-899d6b7b073so88498496d6.2 for ; Fri, 15 May 2026 05:12:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778847146; x=1779451946; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rUcmngTs7ey+uIUzuqkXpKib26TeG2lJPiT+fn8FBYQ=; b=C48BC3qtQ/OEIcT6iVMy8ZntDBUF4J7uQIHsgV7vRP7+l7C039gUMXoe2zxXsxTfPB efexjD9gl7Akx9q8z6Savg0ii+7yBfoyczswGzXDfjR1Ec2GAyTpYRKux4TRubgPSi8R 4IYjUPqXDm50QzDc2Q9pORCCvrqcaewyuphXPuOAZWjINFskWsiyMLqga7r9K56152wT 0Uj+uM1gQRVy6ozQYHgZzFzm3SKKeBvntzIyzxdydXJz6wRiWngnvD9cqa6XwwD9RIRI v3j+xjCLdEZD718L/uvZ6kwEqls2Jt0zqDAAeiIOkNtS4CLiTm9y/gSxxRTgL3F86dOG 43HA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778847146; x=1779451946; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=rUcmngTs7ey+uIUzuqkXpKib26TeG2lJPiT+fn8FBYQ=; b=Zm8pena23XMXIv3bEPKFIDfcLBADBS8EzYcVNBmsC3WORw2dUHfA8msMlpmPtlTRHY 5IKs7BZ1xQHL1lh86K64wQIoKVAu+UIkFrq+lwBwwCamN9CSyFHgy9LHsEKK24W1hkWs W1gSuCl883avaoloQVdJUIWomaJjvsOAC1lqSqv/I8pqF0f9FcHhZzN4eZ54c3XVqPhi e57nYvBsrsB6Nuhn5JH3HNZp8uMR8Y70wxoC0uDNId9MkQHcGFnwqiESolOzw0yOSKW+ 4k9H64TVhpop0ySWcrNceqt07+kyXlgMolFPp6RTBl+HkanEdJKmbDkYqRl8sMlxh94s BdzQ== X-Forwarded-Encrypted: i=1; AFNElJ/YWWhRRyO2BZH+kEhn1SbHeZSxjQATYI9mMVEPeoBvWj2qZ0bk6CM9lsZYWziDjrbVJ0V0qPEuvuRx3Ts=@vger.kernel.org X-Gm-Message-State: AOJu0Yy0/T0bsjHCJhyiBYhJL4b4d9aoe8EQzoWB4hcpWanZndEAq2mc slg3seG16YevyFx+YFUjX0OA7ONrwX7kdrEE1XfohtOtGfVv13VMEpCH X-Gm-Gg: Acq92OEa1P+yhNBhvxkZcEFsCyGFmYxqRXp3jpBwGSHOf5iCY+EaLcScrZ++SKuIno2 IjM3tSHQ7nIeDX+kzgsUZBhZ5YNPydfc4VrR/tO1kXpKD+RNu4kjLTCfNUdaUPhxLCs7OA7qhfN COyi/b0Ohp4yLTUcvqEh4huw6m6yf+Fm7DuqLIhkYr0CPfvVPzhGVYqdhKh1bSKEQwktz6wp4DZ LFNo9IfpSHvYViSE3SvH4QTAI7DMe6VVXA3FgSge5onCWE/D9i+yS9mvf/taQdULIsOrnBExiW4 AQQxxpV4NgEkfK3LtO7WwfW/tsNOGYRdgGMj07ZJPYkwUm5Um0oMvWlKNJlFnZursxFrJLGzUKZ ke7Cswnf9Da8mBNczBnOFhVttbuvQg24aO38m9wsBwfa0LrL9wiVd4c3bZqIH0j5920GknR4tWv U0qXYPU740oRuzV8B4hADbQO2qwd0Lc0qMYUb9tL7Vm8+Yf5NDbVcak3gkWydG1szSW+Kd/fHKv wfSiBAnbunmlanIKIyjnZjA2JQijZuG71tsNYvnFQE= X-Received: by 2002:a05:622a:1e89:b0:509:30b0:8323 with SMTP id d75a77b69052e-5165a0a4269mr49097671cf.31.1778847146567; Fri, 15 May 2026 05:12:26 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-516456888f6sm45534491cf.3.2026.05.15.05.12.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 May 2026 05:12:26 -0700 (PDT) From: Michael Bommarito To: Miri Korenblit Cc: Johannes Berg , Emmanuel Grumbach , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 2/4] wifi: iwlwifi: mvm: clamp set_freqs iteration to n_nd_channels Date: Fri, 15 May 2026 08:10:58 -0400 Message-ID: <20260515121100.649334-3-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260515121100.649334-1-michael.bommarito@gmail.com> References: <20260515121100.649334-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" iwl_mvm_query_set_freqs() iterates over bit positions 0 .. SCAN_OFFLOAD_MATCHING_CHANNELS_LEN * 8 - 1 (=3D 0..55 on the v2 path, 0..39 on the v1 path) and, for each set bit, performs: match->channels[n_channels++] =3D mvm->nd_channels[i]->center_freq; without constraining i against mvm->n_nd_channels. The pointer table mvm->nd_channels is kmemdup()ed at suspend time with exactly mvm->n_nd_channels entries (whatever the userspace NL80211_CMD_SET_WOWLAN request supplied as nd_config->n_channels; typical real-world values are 5..50). If the firmware response contains any matching_channels[] bit set at a position >=3D mvm->n_nd_channels, the indexed load reads a u8* slot past the end of the pointer-table allocation, then the immediate ->center_freq dereferences that wild pointer. The pre-existing caller guard if (mvm->n_nd_channels < n_channels) continue; compares the bitmap's popcount to the table length, not the bit positions to the table length. A bitmap with three set bits at positions {50, 51, 52} has popcount 3 and passes the guard unconditionally, then walks 50+ entries off the end of mvm->nd_channels. Reproduced under UML+KASAN via a KUnit harness that lifts the iteration logic. With nd_channels allocated as 5 entries and matching_channels bits set at positions 7 (immediate redzone) and 50 (far OOB), the kernel panics on the wild deref: Kernel panic - not syncing: Segfault with no mm RIP: 0033:set_freqs_buggy.constprop.0+0xc1/0x15e (The selector 0x0033 in the RIP line is UML's user-mode segment; under UML, in-kernel code runs in ring 3 on the host. The trap is a kernel-context page fault on the wild-pointer deref.) Building drivers/net/wireless/intel/iwlwifi/mvm/d3.o under x86_64 allmodconfig with the fix applied yields no new warnings. Clamp the iteration upper bound to min(matching-bits-width, mvm->n_nd_channels) so high-position bits, however the firmware emitted them, cannot index past the pointer table. Mirror the fix for the v1 fallback arm. Cc: stable@vger.kernel.org Fixes: 8ed4e659f34c ("iwlwifi: mvm: add channel information to the netdetec= t notifications") Signed-off-by: Michael Bommarito Assisted-by: Claude:claude-opus-4-7 --- drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wire= less/intel/iwlwifi/mvm/d3.c index c17ac62feec3..b04d8dd26cd0 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c @@ -2514,16 +2514,20 @@ static void iwl_mvm_query_set_freqs(struct iwl_mvm = *mvm, IWL_UCODE_TLV_API_SCAN_OFFLOAD_CHANS)) { struct iwl_scan_offload_profile_match *matches =3D (void *)results->matches; + int max =3D min_t(int, SCAN_OFFLOAD_MATCHING_CHANNELS_LEN * 8, + mvm->n_nd_channels); =20 - for (i =3D 0; i < SCAN_OFFLOAD_MATCHING_CHANNELS_LEN * 8; i++) + for (i =3D 0; i < max; i++) if (matches[idx].matching_channels[i / 8] & (BIT(i % 8))) match->channels[n_channels++] =3D mvm->nd_channels[i]->center_freq; } else { struct iwl_scan_offload_profile_match_v1 *matches =3D (void *)results->matches; + int max =3D min_t(int, SCAN_OFFLOAD_MATCHING_CHANNELS_LEN_V1 * 8, + mvm->n_nd_channels); =20 - for (i =3D 0; i < SCAN_OFFLOAD_MATCHING_CHANNELS_LEN_V1 * 8; i++) + for (i =3D 0; i < max; i++) if (matches[idx].matching_channels[i / 8] & (BIT(i % 8))) match->channels[n_channels++] =3D mvm->nd_channels[i]->center_freq; --=20 2.53.0 From nobody Fri Jun 12 11:08:13 2026 Received: from mail-qt1-f172.google.com (mail-qt1-f172.google.com [209.85.160.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8338647DFBB for ; Fri, 15 May 2026 12:12:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778847150; cv=none; b=pHEbv66jYfMzWXCKegroKtPaKjNIO97jQL4M4wKSXG+0G29kqHU6OrQcHgnNlFa1Hj1i6cqWrhsAWq3hiEO1aEeE7zJ4+gE4Y4uo3AmO211FkyKGYxX6LMVfy4+Xe4gIUCGaZcNI1nHp9AddssJAjNxyFaSE3lhfWi1i6kDGuoM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778847150; c=relaxed/simple; bh=2R3vKeNVW74nHrBVufrdcdbAaqqXsE5GSwxXB5EcMe8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=AcozTBkRTSQ1uMYoMOhwdxRegWmftT+08hYV3F9OMhC5l4sHOCvFhi0fgWqH1jWaXo8GXVE+JHagYOYNeVfjA9nwpdLeD95hpIGhu4akO+c1GVxatvhRskfZQwAAfZVSSUCZD1+1iRp0uKkixKpaa9hK6ubaThRd6DatsEyfjUk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mBKI0WdU; arc=none smtp.client-ip=209.85.160.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mBKI0WdU" Received: by mail-qt1-f172.google.com with SMTP id d75a77b69052e-5148cbdea08so59719041cf.2 for ; Fri, 15 May 2026 05:12:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778847148; x=1779451948; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=amCrfYz+XZIkhe1QNRlSts2vKTBkBvty+ZpNysynPNw=; b=mBKI0WdUBvoFb/OCKDjYLq67HP0ZPOpVe51UHLstAoW4bb4W3AQJIkXzrREm6wI96r Y0vZDKVVcFQC1NqOALdKla57kQJeV6rUqGiau/sz4pe+MdWv6fmO7UVjZNSPt8OVdIyO QB7iIXtG5vwb6LFGFpf4X1v1eFDWHUHXwDBWZLPw7nTvH0wsN0MlAjKnZhf66gkH7au2 AdagbL6qjCj+Dz6HzKXGkBrfsR5P7/3/QIT6MmbTFPSE/tXDsquKM+tigbXI+7T6ZdAL 5i6LvsTyTALE5iGWo9+t3Nt7/LpUo/aNbLyZd0Wj5LnldHvtlgbmnfDY4/g8LfLhbPcL l5Ww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778847148; x=1779451948; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=amCrfYz+XZIkhe1QNRlSts2vKTBkBvty+ZpNysynPNw=; b=WKd8QGuixClLr0k6NPPdqB1BRBRfUXzeh7dR4Gbw6cQ+xrXi6+j8xo7BUMuL5+1TDF spO+2AZdInNswsoQqp3cZ12DiiN62qV5qV0hU6WUjvmKcKdsvr3tsGwVs80LZ4gdx+bW H34UIbFWyO8oSDeM1wNCS58u4KUuuC6mE9NpROpbugAuppD3DPIcbAzCsgppqNraw+Q8 IwLG+oDBZWkTrxQehdR+yqX4sGgZWeN7q9locwoQP1VU6zfHVEQeq2s1E3D88GbAhAHP 7LlO7W2Wm5r4c4VUmFDXAJBqoSaA7ZnN5mlXSSCB5hGEaSTa1ugxi0zwWuS2KK/W9PKm lgMg== X-Forwarded-Encrypted: i=1; AFNElJ+2t3ZTp8QwQrZ4ydC2tDKY4HZTy4RYBe1K9QKAZ2oXx2GCezsCsRGvQjbeoFBqVA67Vl44XA8/tPnMNDw=@vger.kernel.org X-Gm-Message-State: AOJu0Yzl6HVLlIdhGeyntmGANyWdDSFb1ZCUPx4GPrdJJJdtnYnTEds6 NWIKaKJyQXU+RKPOFbvOF8Ei/DyuunTP338otojmojtJsnQdAB7KBxkN X-Gm-Gg: Acq92OERi8Wn5KJ6cIeak0n6aaYc+sm5lnyUTV0f1bzPMxLxuo7+YYvt5MEEQ0C7Q/D 9k+9w4Ro4cH+s1TjZ7e1BaOeVmmJ7X9m8AWeuRghrOW6e8puQsyYPkKeCNobB7RBgvUbcrnSIFj F8BoOU9/1W288poLxDGz3htvwlWLcuTxgv4cS3HOjmrVZku4lktzhe2KMqtb0nA2qael1z89sDb 5KKfpUE5oZk19svwXnwA/vHymqXpqOXfdBEwOxRmW1mx7HJtrJCWCDyQ+jVsudl+UW6nJCh+MgE Zlmw3lGb9QLXhPdGqi8zFd6x6ghD3NrAaUyApuUmUwmI+2sRnCjk/obso3Mp6I2aFuFQlVRFmn9 QVgMA9BrSrT+9z8EUizXlpsMuERetbI2SVx0qmOmg6bvYVecQlLOg0EUDfGC1kIRgFo6jKjPSh5 b+vTF3NjWCoeDuwK6O5W/TSXmFfkmQcYnAPikeVMvdPaLY5btUe90NO7vrwpTXGmuVX+xDeM77+ yfyIPHG3q/Fj+/+B3WkE9GBuId5xd3lK5FJp83EnVI= X-Received: by 2002:a05:622a:1f16:b0:50f:bc57:d69 with SMTP id d75a77b69052e-51659ed0e67mr48506521cf.0.1778847147439; Fri, 15 May 2026 05:12:27 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-516456888f6sm45534491cf.3.2026.05.15.05.12.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 May 2026 05:12:27 -0700 (PDT) From: Michael Bommarito To: Miri Korenblit Cc: Johannes Berg , Emmanuel Grumbach , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 3/4] wifi: iwlwifi: mld: include matches tail in match-info length check Date: Fri, 15 May 2026 08:10:59 -0400 Message-ID: <20260515121100.649334-4-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260515121100.649334-1-michael.bommarito@gmail.com> References: <20260515121100.649334-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" iwl_mld_netdetect_match_info_handler() validates the firmware notification length against sizeof(*notif) (the fixed-header size of struct iwl_scan_offload_match_info, 24 bytes) but then immediately memcpys NETDETECT_QUERY_BUF_LEN bytes from notif->matches: if (IWL_FW_CHECK(mld, len < sizeof(*notif), "Invalid scan offload match notif of length: %d\n", len)) return true; ... if (results->matched_profiles) memcpy(results->matches, notif->matches, NETDETECT_QUERY_BUF_LEN); NETDETECT_QUERY_BUF_LEN is (sizeof(struct iwl_scan_offload_profile_match) * IWL_SCAN_MAX_PROFILES_V2) =3D 18 * 8 =3D 144 bytes so a firmware-emitted notif sized at exactly sizeof(*notif) (24 bytes) satisfies the guard yet the memcpy reads 144 bytes past the slab-allocated notification buffer. Reproduced under UML+KASAN via a KUnit harness that lifts the length-validation + memcpy logic into a self-contained test. KASAN reports BUG: KASAN: slab-out-of-bounds in mld_match_info_buggy.constprop.0 Read of size 144 at addr ... Building drivers/net/wireless/intel/iwlwifi/mld/d3.o under x86_64 allmodconfig with the fix applied yields no new warnings. This is the same bug shape as the previously fixed sibling commit 744fabc338e8 ("wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()") applied to the mvm peer function. The mld driver was added in February 2025 and inherited the same length-check miss; apply the same correction shape. Cc: stable@vger.kernel.org Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver") Signed-off-by: Michael Bommarito Assisted-by: Claude:claude-opus-4-7 --- drivers/net/wireless/intel/iwlwifi/mld/d3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/d3.c b/drivers/net/wire= less/intel/iwlwifi/mld/d3.c index ef98efc8fb1b..e89ec531cb06 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/d3.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/d3.c @@ -1128,7 +1128,7 @@ iwl_mld_netdetect_match_info_handler(struct iwl_mld *= mld, mld->netdetect)) return true; =20 - if (IWL_FW_CHECK(mld, len < sizeof(*notif), + if (IWL_FW_CHECK(mld, len < sizeof(*notif) + NETDETECT_QUERY_BUF_LEN, "Invalid scan offload match notif of length: %d\n", len)) return true; --=20 2.53.0 From nobody Fri Jun 12 11:08:13 2026 Received: from mail-qt1-f169.google.com (mail-qt1-f169.google.com [209.85.160.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E762E480340 for ; Fri, 15 May 2026 12:12:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778847151; cv=none; b=tbkCiYfusSlIfGSRqP4TyoscoIjr9aVtsr2yL4FDIxyn6yymLEYsfwYNPjGTPEChwCOZ+C8eJMUqN0MDmVY62pNOPyKCe0xeeNuqwae2A6Uh/W2fCNtw+zI3SW/igebtWwELjSCYveTkYUZfMocCJsoJQ8TOLI/TmJPw3+oEk0c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778847151; c=relaxed/simple; bh=C8otXdXqe2mbvIpCi+y4ZxuYrmyZ1+jVBFbLm5wowDc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=od1rfJT9T1+lNyvdgzjC+CSqpeHrrKKm67sVhzvIpNtNbFPMs0egIeq37uaF+6ru7XbrM1911jY3f10qZOfevy2l/9YUEtM0RaKd4mJOa6TXFCTzLP8i8PwFEQXibdJC0kJmd7Em+A/lFnb2I7aa396oqQkaespbLPbIJNAyK1E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=JLVrDdNX; arc=none smtp.client-ip=209.85.160.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="JLVrDdNX" Received: by mail-qt1-f169.google.com with SMTP id d75a77b69052e-50e63771d91so88335791cf.0 for ; Fri, 15 May 2026 05:12:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778847149; x=1779451949; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7R2gnYRUyTuipxUzgFJAVrQVtPiXN+G/kZsPRoJVzxw=; b=JLVrDdNXWVnw8mdwabCQzQY/4yzdEe7Wq9M/r7OvqmAoDswWkrPmZgJ/eq4xR6Azqk F0iM9QhAKRd3BOERQ/clHXPpweXKNDZBMtm43KeOARgvddhgTukiQ9sz/2XiZp5QW/g4 d3YVoVRE8YivAUeb4ElwJiDHVN3oJXJ2XodcPR5bm5I6RURcMwR+eO8XEtD3m1BpdkJc oIBv53wiCeRLuEugnudSa5bOe0D7csa3PVgsOwHM75Rw3zrAMlOwD1IvrscZUDyYQWpn uWBVBrPloaGw80rwxNGd7Nunh1qZUm2I62kD66o+52uwj9HcajcM14kyF1UdrNCxHsE8 JDdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778847149; x=1779451949; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=7R2gnYRUyTuipxUzgFJAVrQVtPiXN+G/kZsPRoJVzxw=; b=rgWMPpDsSUoEeoBB2MpHH2kDxjbClGVArYYJVWHVIk+bq4bKKAeYZvtyu7zg7JNvb6 k7TdMMxHkcZqJllH5vDp8iW4BugoVB6xkhwY+D8N4XViCrZ2caBxnYVRSD/jNv4h9u+k WQUUOiTQ+VQWrClG+Oe7sGPFdF6SCZp8sj6DFHkThaIyD2ggktaTFB72hqvFeqz5eGVb 6IVilmt1IBYk2FP8dx21ah15oJ4p2ZJ2pY0Hu8pW7KAf6l0BmFNn0GzHj5Qu0Q8HE0jq FcQ8hddS6pqTQKu9UQt9VKMNb6x0bxhrAs9QpeVBcZpt3GiTi5TZA6FBmDrOYbPg7vbh LgfQ== X-Forwarded-Encrypted: i=1; AFNElJ+4FXXUf8pMmUVMVvxKIkfYyDGldRjBMMymYaZgxHV1Zw5+AqyLAnes1UwsnppB5oYDXcdUG6Z+RJ1RMNE=@vger.kernel.org X-Gm-Message-State: AOJu0YzWZJFC7i2CT9lzNe95lLYqsbaqagd2DeB/KP5iGVZ4/+3q949e 43dsoXWEoLJAFaHwz4m3T8xbz/TcI5Tcx6non2sVqyKHdeddMRPAscOA X-Gm-Gg: Acq92OFR9nrXX7asLXkJSMGLhPL7svguBOHEb39nMevmZiBuOKBb9uaRkFclwen6qEL oo2nBCqvKDbFUn7spkDP5l9Yc8bNxDWOWh1al36cHJYEVb/DJ3O9LEOpi4CahV1sFZyLIkQFHTu BBTVf99g3uajzEgrZfAIzfBQVWjJ4eRA1zTtTo7Q1l1dVTkKaqih3qXptu36Ycvl98FStjtqhHa bBTvAcjq55czmIH+QNAzYZgk4ey9QYv71Y+x9I7naYaD5EiP3m99SMUJELfre8FX0RF3hfnFsfy +35oLyh9LVo6l2/DpDcN+3Z/KIjRRRDYa+GCWCJn+TZtrXy7PZWFGT6z083EDvSNqYjWzEDtR8V uOH1QYXuNPzzIUUgtKrEvEFfR0eo+gQT2jfjN8q4L0B2rmv1FOW33BXFMEZPxJAHDV+h/VPqnYW rFhKsyfRVE0yllR22PB8khvxHUsNnxg1+vIfQkGKvMRk80ZwMRGjM3aU1TlPKbmh+zosIrocxym N6cn7iIWKtuDRyMj8Q2J6Q3anFMBsNdDIubZN6br3BXlFoIR9Mu0w== X-Received: by 2002:ac8:5703:0:b0:510:1b61:d0e4 with SMTP id d75a77b69052e-5165a0e34ffmr47763431cf.35.1778847148790; Fri, 15 May 2026 05:12:28 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-516456888f6sm45534491cf.3.2026.05.15.05.12.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 May 2026 05:12:28 -0700 (PDT) From: Michael Bommarito To: Miri Korenblit Cc: Johannes Berg , Emmanuel Grumbach , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 4/4] wifi: iwlwifi: mld: clamp netdetect channel iteration to n_channels Date: Fri, 15 May 2026 08:11:00 -0400 Message-ID: <20260515121100.649334-5-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260515121100.649334-1-michael.bommarito@gmail.com> References: <20260515121100.649334-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" iwl_mld_set_netdetect_info() walks the per-match matching_channels[] bitmap and emits one center_freq per set bit by indexing netdetect_cfg->channels[]: for_each_set_bit(j, (unsigned long *)&matches[i].matching_channels[0], sizeof(matches[i].matching_channels)) { match->channels[match->n_channels] =3D netdetect_cfg->channels[j]->center_freq; match->n_channels++; } Two problems here. First, the third argument to for_each_set_bit(bit, addr, size) is the number of BITS to walk, not bytes. sizeof(matches[i].matching_channels) is SCAN_OFFLOAD_MATCHING_CHANNELS_LEN =3D 7 BYTES, so the macro only visits j =3D 0..6 and silently misses bits 7..55 of the 56-bit bitmap. This is a functional defect (per-match channel reporting is truncated to the first 7 entries of the bitmap). Second, the loop body indexes netdetect_cfg->channels[j] without bounding j against netdetect_cfg->n_channels. netdetect_cfg ->channels is a kmemdup()'ed array of pointers sized at exactly n_channels entries (the user's WoWLAN net-detect channel list). If n_channels < 7 (a 2.4 GHz only configuration, or a small saved- SSID channel allowlist) and the firmware sets a match bit at any position in [n_channels, 6], the indexed load reads past the end of the allocation, and ->center_freq then dereferences whatever that wild pointer fetched. Reproduced under UML+KASAN via a KUnit harness that lifts the iteration logic. With netdetect_cfg->channels sized at 5 entries and matching_channels bit 5 set, the kernel panics on the wild deref: Kernel panic - not syncing: Segfault with no mm RIP: 0033:mld_set_freqs_buggy.constprop.0+0x116/0x1c2 (The selector 0x0033 is UML's user-mode segment; under UML, in-kernel code runs in ring 3 on the host. The trap is a kernel-context page fault on the wild-pointer deref.) Building drivers/net/wireless/intel/iwlwifi/mld/d3.o under x86_64 allmodconfig with the fix applied yields no new warnings. Rewrite the iteration as an explicit indexed loop with an upper bound of min(bitmap-width-in-bits, n_channels). This addresses both issues in one step: bits-correct iteration over the bitmap, and a hard clamp against the channels-table length. Address the two together because applying only the bits-correct iteration without the clamp would widen the OOB exposure from j < 7 to j < 56. A short comment is added because the clamp's purpose (avoiding an OOB pointer fetch from netdetect_cfg->channels) is not obvious from the expression alone, and a future reader could otherwise "simplify" the bound back to the underlying constant. Cc: stable@vger.kernel.org Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver") Signed-off-by: Michael Bommarito Assisted-by: Claude:claude-opus-4-7 --- drivers/net/wireless/intel/iwlwifi/mld/d3.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/d3.c b/drivers/net/wire= less/intel/iwlwifi/mld/d3.c index e89ec531cb06..51abf414bb1e 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/d3.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/d3.c @@ -1165,7 +1165,7 @@ iwl_mld_set_netdetect_info(struct iwl_mld *mld, =20 for_each_set_bit(i, &matched_profiles, netdetect_cfg->n_match_sets) { struct cfg80211_wowlan_nd_match *match; - int idx, j, n_channels =3D 0; + int idx, j, max, n_channels =3D 0; struct iwl_scan_offload_profile_match *matches =3D (void *)netdetect_res->matches; =20 @@ -1192,9 +1192,19 @@ iwl_mld_set_netdetect_info(struct iwl_mld *mld, if (netdetect_cfg->n_channels < n_channels) continue; =20 - for_each_set_bit(j, - (unsigned long *)&matches[i].matching_channels[0], - sizeof(matches[i].matching_channels)) { + /* Clamp bit-index iteration to the channels table length: + * a firmware-set bit past n_channels would otherwise index + * past the kmemdup'd netdetect_cfg->channels[] allocation. + */ + max =3D min_t(int, BITS_PER_BYTE * + sizeof(matches[i].matching_channels), + netdetect_cfg->n_channels); + + for (j =3D 0; j < max; j++) { + if (!(matches[i].matching_channels[j / BITS_PER_BYTE] & + BIT(j % BITS_PER_BYTE))) + continue; + match->channels[match->n_channels] =3D netdetect_cfg->channels[j]->center_freq; match->n_channels++; --=20 2.53.0