Skip to content

Commit e0ecdbf

Browse files
committed
Merge: CVE-2025-37943: wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6904 JIRA: https://issues.redhat.com/browse/RHEL-93256 CVE: CVE-2025-37943 ``` commit 9a0dddf Author: Manish Dharanenthiran <[email protected]> Date: Tue Feb 11 14:33:02 2025 +0530 wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi In certain cases, hardware might provide packets with a length greater than the maximum native Wi-Fi header length. This can lead to accessing and modifying fields in the header within the ath12k_dp_rx_h_undecap_nwifi function for DP_RX_DECAP_TYPE_NATIVE_WIFI decap type and potentially resulting in invalid data access and memory corruption. Add a sanity check before processing the SKB to prevent invalid data access in the undecap native Wi-Fi function for the DP_RX_DECAP_TYPE_NATIVE_WIFI decap type. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Signed-off-by: Manish Dharanenthiran <[email protected]> Signed-off-by: Tamizh Chelvam Raja <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jeff Johnson <[email protected]> ``` Signed-off-by: CKI Backport Bot <[email protected]> --- <small>Created 2025-05-22 18:39 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://issues.redhat.com/secure/CreateIssueDetails!init.jspa?pid=12334433&issuetype=1&priority=4&summary=backporter+webhook+issue&components=kernel-workflow+/+backporter)</small> Approved-by: José Ignacio Tornos Martínez <[email protected]> Approved-by: Izabela Bakollari <[email protected]> Approved-by: Michal Schmidt <[email protected]> Approved-by: mheib <[email protected]> Approved-by: CKI KWF Bot <[email protected]> Merged-by: Jan Stancek <[email protected]>
2 parents db55388 + 14c5e93 commit e0ecdbf

File tree

1 file changed

+40
-2
lines changed
  • drivers/net/wireless/ath/ath12k

1 file changed

+40
-2
lines changed

drivers/net/wireless/ath/ath12k/dp_rx.c

Lines changed: 40 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2530,6 +2530,29 @@ static void ath12k_dp_rx_deliver_msdu(struct ath12k *ar, struct napi_struct *nap
25302530
ieee80211_rx_napi(ath12k_ar_to_hw(ar), pubsta, msdu, napi);
25312531
}
25322532

2533+
static bool ath12k_dp_rx_check_nwifi_hdr_len_valid(struct ath12k_base *ab,
2534+
struct hal_rx_desc *rx_desc,
2535+
struct sk_buff *msdu)
2536+
{
2537+
struct ieee80211_hdr *hdr;
2538+
u8 decap_type;
2539+
u32 hdr_len;
2540+
2541+
decap_type = ath12k_dp_rx_h_decap_type(ab, rx_desc);
2542+
if (decap_type != DP_RX_DECAP_TYPE_NATIVE_WIFI)
2543+
return true;
2544+
2545+
hdr = (struct ieee80211_hdr *)msdu->data;
2546+
hdr_len = ieee80211_hdrlen(hdr->frame_control);
2547+
2548+
if ((likely(hdr_len <= DP_MAX_NWIFI_HDR_LEN)))
2549+
return true;
2550+
2551+
ab->soc_stats.invalid_rbm++;
2552+
WARN_ON_ONCE(1);
2553+
return false;
2554+
}
2555+
25332556
static int ath12k_dp_rx_process_msdu(struct ath12k *ar,
25342557
struct sk_buff *msdu,
25352558
struct sk_buff_head *msdu_list,
@@ -2588,6 +2611,11 @@ static int ath12k_dp_rx_process_msdu(struct ath12k *ar,
25882611
}
25892612
}
25902613

2614+
if (unlikely(!ath12k_dp_rx_check_nwifi_hdr_len_valid(ab, rx_desc, msdu))) {
2615+
ret = -EINVAL;
2616+
goto free_out;
2617+
}
2618+
25912619
ath12k_dp_rx_h_ppdu(ar, rx_desc, rx_status);
25922620
ath12k_dp_rx_h_mpdu(ar, msdu, rx_desc, rx_status);
25932621

@@ -2978,6 +3006,9 @@ static int ath12k_dp_rx_h_verify_tkip_mic(struct ath12k *ar, struct ath12k_peer
29783006
RX_FLAG_IV_STRIPPED | RX_FLAG_DECRYPTED;
29793007
skb_pull(msdu, hal_rx_desc_sz);
29803008

3009+
if (unlikely(!ath12k_dp_rx_check_nwifi_hdr_len_valid(ab, rx_desc, msdu)))
3010+
return -EINVAL;
3011+
29813012
ath12k_dp_rx_h_ppdu(ar, rx_desc, rxs);
29823013
ath12k_dp_rx_h_undecap(ar, msdu, rx_desc,
29833014
HAL_ENCRYPT_TYPE_TKIP_MIC, rxs, true);
@@ -3720,6 +3751,9 @@ static int ath12k_dp_rx_h_null_q_desc(struct ath12k *ar, struct sk_buff *msdu,
37203751
skb_put(msdu, hal_rx_desc_sz + l3pad_bytes + msdu_len);
37213752
skb_pull(msdu, hal_rx_desc_sz + l3pad_bytes);
37223753
}
3754+
if (unlikely(!ath12k_dp_rx_check_nwifi_hdr_len_valid(ab, desc, msdu)))
3755+
return -EINVAL;
3756+
37233757
ath12k_dp_rx_h_ppdu(ar, desc, status);
37243758

37253759
ath12k_dp_rx_h_mpdu(ar, msdu, desc, status);
@@ -3764,7 +3798,7 @@ static bool ath12k_dp_rx_h_reo_err(struct ath12k *ar, struct sk_buff *msdu,
37643798
return drop;
37653799
}
37663800

3767-
static void ath12k_dp_rx_h_tkip_mic_err(struct ath12k *ar, struct sk_buff *msdu,
3801+
static bool ath12k_dp_rx_h_tkip_mic_err(struct ath12k *ar, struct sk_buff *msdu,
37683802
struct ieee80211_rx_status *status)
37693803
{
37703804
struct ath12k_base *ab = ar->ab;
@@ -3782,13 +3816,17 @@ static void ath12k_dp_rx_h_tkip_mic_err(struct ath12k *ar, struct sk_buff *msdu,
37823816
skb_put(msdu, hal_rx_desc_sz + l3pad_bytes + msdu_len);
37833817
skb_pull(msdu, hal_rx_desc_sz + l3pad_bytes);
37843818

3819+
if (unlikely(!ath12k_dp_rx_check_nwifi_hdr_len_valid(ab, desc, msdu)))
3820+
return true;
3821+
37853822
ath12k_dp_rx_h_ppdu(ar, desc, status);
37863823

37873824
status->flag |= (RX_FLAG_MMIC_STRIPPED | RX_FLAG_MMIC_ERROR |
37883825
RX_FLAG_DECRYPTED);
37893826

37903827
ath12k_dp_rx_h_undecap(ar, msdu, desc,
37913828
HAL_ENCRYPT_TYPE_TKIP_MIC, status, false);
3829+
return false;
37923830
}
37933831

37943832
static bool ath12k_dp_rx_h_rxdma_err(struct ath12k *ar, struct sk_buff *msdu,
@@ -3807,7 +3845,7 @@ static bool ath12k_dp_rx_h_rxdma_err(struct ath12k *ar, struct sk_buff *msdu,
38073845
case HAL_REO_ENTR_RING_RXDMA_ECODE_TKIP_MIC_ERR:
38083846
err_bitmap = ath12k_dp_rx_h_mpdu_err(ab, rx_desc);
38093847
if (err_bitmap & HAL_RX_MPDU_ERR_TKIP_MIC) {
3810-
ath12k_dp_rx_h_tkip_mic_err(ar, msdu, status);
3848+
drop = ath12k_dp_rx_h_tkip_mic_err(ar, msdu, status);
38113849
break;
38123850
}
38133851
fallthrough;

0 commit comments

Comments
 (0)