* [PATCH] wifi: ath6kl: validate assoc info lengths in the WMI connect event
@ 2026-07-11 7:13 Doruk Tan Ozturk
2026-07-11 14:39 ` Jeff Johnson
0 siblings, 1 reply; 4+ messages in thread
From: Doruk Tan Ozturk @ 2026-07-11 7:13 UTC (permalink / raw)
To: linux-wireless
Cc: Johannes Berg, Peddolla Harshavardhan Reddy, linux-kernel, stable
ath6kl_wmi_connect_event_rx() only checks that the received event is at
least sizeof(struct wmi_connect_event); it never checks that the trailing
beacon_ie_len + assoc_req_len + assoc_resp_len fields fit within the
received buffer. Those attacker/AP-influenced lengths then drive two
out-of-bounds accesses:
- The WMM information-element scan builds
peie = assoc_info + beacon_ie_len + assoc_req_len + assoc_resp_len
and walks up to it, reading past the end of the event buffer when the
declared lengths exceed the buffer. The walk also dereferences
pie[1..6] and pie[1] (for the advance) without checking they stay
within peie.
- ath6kl_cfg80211_connect_event() subtracts fixed offsets from
assoc_req_len (-= 4) and assoc_resp_len (-= 6), both u8, with no lower
bound. A short assoc request/response underflows the length to ~250,
which cfg80211_connect_result() / cfg80211_roamed() then treat as the
IE length and copy out of bounds from the small assoc_info buffer,
disclosing adjacent slab memory to user space via nl80211.
Bound the declared IE lengths against the received buffer, bound the WMM
element reads against peie, and clamp the assoc request/response lengths
before the subtraction. The sibling wil6210 driver already performs the
equivalent length check for the same WMI connect event.
Found by 0sec (https://0sec.ai) using automated source analysis; the
missing bounds are evident from source and cross-checked against the
sibling wil6210 driver. Compile-tested.
Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
Cc: stable@vger.kernel.org
Assisted-by: 0sec:claude-opus-4-8
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
drivers/net/wireless/ath/ath6kl/cfg80211.c | 5 +++++
drivers/net/wireless/ath/ath6kl/wmi.c | 10 +++++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath6kl/cfg80211.c b/drivers/net/wireless/ath/ath6kl/cfg80211.c
index cc0f2c45fc3a..62f663c0daa2 100644
--- a/drivers/net/wireless/ath/ath6kl/cfg80211.c
+++ b/drivers/net/wireless/ath/ath6kl/cfg80211.c
@@ -754,6 +754,11 @@ void ath6kl_cfg80211_connect_event(struct ath6kl_vif *vif, u16 channel,
u8 *assoc_resp_ie = assoc_info + beacon_ie_len + assoc_req_len +
assoc_resp_ie_offset;
+ if (assoc_req_len < assoc_req_ie_offset)
+ assoc_req_len = assoc_req_ie_offset;
+ if (assoc_resp_len < assoc_resp_ie_offset)
+ assoc_resp_len = assoc_resp_ie_offset;
+
assoc_req_len -= assoc_req_ie_offset;
assoc_resp_len -= assoc_resp_ie_offset;
diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
index 72611a2ceb9d..fbfd74154d12 100644
--- a/drivers/net/wireless/ath/ath6kl/wmi.c
+++ b/drivers/net/wireless/ath/ath6kl/wmi.c
@@ -862,6 +862,10 @@ static int ath6kl_wmi_connect_event_rx(struct wmi *wmi, u8 *datap, int len,
ev = (struct wmi_connect_event *) datap;
+ if (len < sizeof(*ev) + ev->beacon_ie_len + ev->assoc_req_len +
+ ev->assoc_resp_len)
+ return -EINVAL;
+
if (vif->nw_type == AP_NETWORK) {
/* AP mode start/STA connected event */
struct net_device *dev = vif->ndev;
@@ -913,7 +917,8 @@ static int ath6kl_wmi_connect_event_rx(struct wmi *wmi, u8 *datap, int len,
while (pie < peie) {
switch (*pie) {
case WLAN_EID_VENDOR_SPECIFIC:
- if (pie[1] > 3 && pie[2] == 0x00 && pie[3] == 0x50 &&
+ if (pie + 7 <= peie && pie[1] > 3 &&
+ pie[2] == 0x00 && pie[3] == 0x50 &&
pie[4] == 0xf2 && pie[5] == WMM_OUI_TYPE) {
/* WMM OUT (00:50:F2) */
if (pie[1] > 5 &&
@@ -926,6 +931,9 @@ static int ath6kl_wmi_connect_event_rx(struct wmi *wmi, u8 *datap, int len,
if (wmi->is_wmm_enabled)
break;
+ if (pie + 1 >= peie)
+ break;
+
pie += pie[1] + 2;
}
--
2.43.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] wifi: ath6kl: validate assoc info lengths in the WMI connect event
2026-07-11 7:13 [PATCH] wifi: ath6kl: validate assoc info lengths in the WMI connect event Doruk Tan Ozturk
@ 2026-07-11 14:39 ` Jeff Johnson
2026-07-13 18:18 ` Doruk (0sec)
0 siblings, 1 reply; 4+ messages in thread
From: Jeff Johnson @ 2026-07-11 14:39 UTC (permalink / raw)
To: Doruk Tan Ozturk, linux-wireless
Cc: Johannes Berg, Peddolla Harshavardhan Reddy, linux-kernel, stable
On 7/11/2026 12:13 AM, Doruk Tan Ozturk wrote:
> ath6kl_wmi_connect_event_rx() only checks that the received event is at
> least sizeof(struct wmi_connect_event); it never checks that the trailing
> beacon_ie_len + assoc_req_len + assoc_resp_len fields fit within the
> received buffer. Those attacker/AP-influenced lengths then drive two
> out-of-bounds accesses:
>
> - The WMM information-element scan builds
> peie = assoc_info + beacon_ie_len + assoc_req_len + assoc_resp_len
> and walks up to it, reading past the end of the event buffer when the
> declared lengths exceed the buffer. The walk also dereferences
> pie[1..6] and pie[1] (for the advance) without checking they stay
> within peie.
>
> - ath6kl_cfg80211_connect_event() subtracts fixed offsets from
> assoc_req_len (-= 4) and assoc_resp_len (-= 6), both u8, with no lower
> bound. A short assoc request/response underflows the length to ~250,
> which cfg80211_connect_result() / cfg80211_roamed() then treat as the
> IE length and copy out of bounds from the small assoc_info buffer,
> disclosing adjacent slab memory to user space via nl80211.
>
> Bound the declared IE lengths against the received buffer, bound the WMM
> element reads against peie, and clamp the assoc request/response lengths
> before the subtraction. The sibling wil6210 driver already performs the
> equivalent length check for the same WMI connect event.
>
> Found by 0sec (https://0sec.ai) using automated source analysis; the
> missing bounds are evident from source and cross-checked against the
> sibling wil6210 driver. Compile-tested.
>
> Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
> Cc: stable@vger.kernel.org
> Assisted-by: 0sec:claude-opus-4-8
> Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
Some aspects of your patch are already addressed by:
https://lore.kernel.org/all/20260421135009.348084-3-tristmd@gmail.com
So you will need to rebase once that lands.
/jeff
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] wifi: ath6kl: validate assoc info lengths in the WMI connect event
2026-07-11 14:39 ` Jeff Johnson
@ 2026-07-13 18:18 ` Doruk (0sec)
2026-07-13 19:21 ` Jeff Johnson
0 siblings, 1 reply; 4+ messages in thread
From: Doruk (0sec) @ 2026-07-13 18:18 UTC (permalink / raw)
To: jeff.johnson, linux-wireless
Cc: tristmd, johannes, peddolla.reddy, linux-kernel, stable
On 7/11/2026, Jeff Johnson wrote:
> Some aspects of your patch are already addressed by:
> https://lore.kernel.org/all/20260421135009.348084-3-tristmd@gmail.com
> So you will need to rebase once that lands.
Thanks for the heads up! One thing that looks like it may remain after
Tristan's patch, in case it's useful: the aggregate check bounds the case
where the declared lengths are too large, but ath6kl_cfg80211_connect_event()
still underflows when a length is too small. It does, on u8 values
with no lower bound:
assoc_req_len -= assoc_req_ie_offset; /* -= 4 */
assoc_resp_len -= assoc_resp_ie_offset; /* -= 6 */
so an assoc request/response shorter than the fixed offset wraps to ~250, and
cfg80211_connect_result()/cfg80211_roamed() then treat that as the IE length and
copy that many bytes out of the small assoc_info buffer to user space. That path
is separate from the aggregate over-read Tristan's check covers.
Happy to send a small follow-on clamping those two subtractions on top of
Tristan's series once it lands -- or Tristan, please feel free to fold it into
your series if you'd rather keep it together. Whatever's easiest for you both.
Best
Doruk
DORUK TAN ÖZTÜRK
Co-Founder
0sec
Universitätstrasse 33
8006 Zürich, Switzerland
www.0sec.ai | doruk@0sec.ai | Linkedin
On Sat, 11 Jul 2026 at 16:39, Jeff Johnson
<jeff.johnson@oss.qualcomm.com> wrote:
>
> On 7/11/2026 12:13 AM, Doruk Tan Ozturk wrote:
> > ath6kl_wmi_connect_event_rx() only checks that the received event is at
> > least sizeof(struct wmi_connect_event); it never checks that the trailing
> > beacon_ie_len + assoc_req_len + assoc_resp_len fields fit within the
> > received buffer. Those attacker/AP-influenced lengths then drive two
> > out-of-bounds accesses:
> >
> > - The WMM information-element scan builds
> > peie = assoc_info + beacon_ie_len + assoc_req_len + assoc_resp_len
> > and walks up to it, reading past the end of the event buffer when the
> > declared lengths exceed the buffer. The walk also dereferences
> > pie[1..6] and pie[1] (for the advance) without checking they stay
> > within peie.
> >
> > - ath6kl_cfg80211_connect_event() subtracts fixed offsets from
> > assoc_req_len (-= 4) and assoc_resp_len (-= 6), both u8, with no lower
> > bound. A short assoc request/response underflows the length to ~250,
> > which cfg80211_connect_result() / cfg80211_roamed() then treat as the
> > IE length and copy out of bounds from the small assoc_info buffer,
> > disclosing adjacent slab memory to user space via nl80211.
> >
> > Bound the declared IE lengths against the received buffer, bound the WMM
> > element reads against peie, and clamp the assoc request/response lengths
> > before the subtraction. The sibling wil6210 driver already performs the
> > equivalent length check for the same WMI connect event.
> >
> > Found by 0sec (https://0sec.ai) using automated source analysis; the
> > missing bounds are evident from source and cross-checked against the
> > sibling wil6210 driver. Compile-tested.
> >
> > Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
> > Cc: stable@vger.kernel.org
> > Assisted-by: 0sec:claude-opus-4-8
> > Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
>
> Some aspects of your patch are already addressed by:
> https://lore.kernel.org/all/20260421135009.348084-3-tristmd@gmail.com
>
> So you will need to rebase once that lands.
>
> /jeff
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] wifi: ath6kl: validate assoc info lengths in the WMI connect event
2026-07-13 18:18 ` Doruk (0sec)
@ 2026-07-13 19:21 ` Jeff Johnson
0 siblings, 0 replies; 4+ messages in thread
From: Jeff Johnson @ 2026-07-13 19:21 UTC (permalink / raw)
To: Doruk (0sec), linux-wireless
Cc: tristmd, johannes, peddolla.reddy, linux-kernel, stable
On 7/13/2026 11:18 AM, Doruk (0sec) wrote:
> On 7/11/2026, Jeff Johnson wrote:
>> Some aspects of your patch are already addressed by:
>> https://lore.kernel.org/all/20260421135009.348084-3-tristmd@gmail.com
>> So you will need to rebase once that lands.
>
> Thanks for the heads up! One thing that looks like it may remain after
> Tristan's patch, in case it's useful: the aggregate check bounds the case
> where the declared lengths are too large, but ath6kl_cfg80211_connect_event()
> still underflows when a length is too small. It does, on u8 values
> with no lower bound:
>
> assoc_req_len -= assoc_req_ie_offset; /* -= 4 */
> assoc_resp_len -= assoc_resp_ie_offset; /* -= 6 */
>
> so an assoc request/response shorter than the fixed offset wraps to ~250, and
> cfg80211_connect_result()/cfg80211_roamed() then treat that as the IE length and
> copy that many bytes out of the small assoc_info buffer to user space. That path
> is separate from the aggregate over-read Tristan's check covers.
>
> Happy to send a small follow-on clamping those two subtractions on top of
> Tristan's series once it lands -- or Tristan, please feel free to fold it into
> your series if you'd rather keep it together. Whatever's easiest for you both.
I've already landed Tristan's series in ath-current, so you can base a new
patch upon that.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-07-13 19:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-07-11 7:13 [PATCH] wifi: ath6kl: validate assoc info lengths in the WMI connect event Doruk Tan Ozturk
2026-07-11 14:39 ` Jeff Johnson
2026-07-13 18:18 ` Doruk (0sec)
2026-07-13 19:21 ` Jeff Johnson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox