[PATCH v2 2/3] wifi: wlcore: fix OOB read from firmware max_buff_size in logger handler

Next message: Tristan Madani: "[PATCH v2 1/3] wifi: wl18xx: fix OOB read from firmware rx_ba_link_id in BA event handler"
Previous message: Tristan Madani: "[PATCH v2 0/3] wifi: wlcore: fix OOB reads from firmware event fields"
In reply to: Tristan Madani: "[PATCH v2 0/3] wifi: wlcore: fix OOB reads from firmware event fields"
Next in thread: Tristan Madani: "[PATCH v2 1/3] wifi: wl18xx: fix OOB read from firmware rx_ba_link_id in BA event handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Wed Apr 15 2026 - 18:30:22 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

The firmware-controlled max_buff_size field is used to compute buffer
offsets in wlcore_event_fw_logger() without validation against the
4128-byte kernel allocation. An inflated value causes out-of-bounds
reads from kernel heap, with the data written to the debugfs-accessible
fwlog ring buffer.

Cap max_buff_size at the allocation size minus the header offset.

Fixes: 3719c17e1816 ("wlcore/wl18xx: fw logger over sdio")
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/ti/wlcore/event.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/drivers/net/wireless/ti/wlcore/event.c b/drivers/net/wireless/ti/wlcore/event.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/ti/wlcore/event.c
+++ b/drivers/net/wireless/ti/wlcore/event.c
@@ -62,6 +62,13 @@ void wlcore_event_fw_logger(struct wl1271 *wl)
if (actual_len == 0)
goto free_out;

+ if (le32_to_cpu(fw_log.max_buff_size) >
+ WL18XX_LOGGER_SDIO_BUFF_MAX - WL18XX_LOGGER_BUFF_OFFSET) {
+ wl1271_error("fw logger: max_buff_size %u exceeds buffer\n",
+ le32_to_cpu(fw_log.max_buff_size));
+ goto free_out;
+ }
+
/* Calculate the internal pointer to the fwlog structure */
addr_ptr = internal_fw_addrbase + addr;