Re: [PATCH] wifi: ath6kl: validate assoc info lengths in the WMI connect event

From: Doruk (0sec)

Date: Mon Jul 13 2026 - 14:20:15 EST


On 7/11/2026, Jeff Johnson wrote:
> Some aspects of your patch are already addressed by:
> https://lore.kernel.org/all/20260421135009.348084-3-tristmd@xxxxxxxxx
> So you will need to rebase once that lands.

Thanks for the heads up! One thing that looks like it may remain after
Tristan's patch, in case it's useful: the aggregate check bounds the case
where the declared lengths are too large, but ath6kl_cfg80211_connect_event()
still underflows when a length is too small. It does, on u8 values
with no lower bound:

assoc_req_len -= assoc_req_ie_offset; /* -= 4 */
assoc_resp_len -= assoc_resp_ie_offset; /* -= 6 */

so an assoc request/response shorter than the fixed offset wraps to ~250, and
cfg80211_connect_result()/cfg80211_roamed() then treat that as the IE length and
copy that many bytes out of the small assoc_info buffer to user space. That path
is separate from the aggregate over-read Tristan's check covers.

Happy to send a small follow-on clamping those two subtractions on top of
Tristan's series once it lands -- or Tristan, please feel free to fold it into
your series if you'd rather keep it together. Whatever's easiest for you both.

Best
Doruk

DORUK TAN ÖZTÜRK

Co-Founder


0sec

Universitätstrasse 33

8006 Zürich, Switzerland

www.0sec.ai | doruk@xxxxxxx | Linkedin



On Sat, 11 Jul 2026 at 16:39, Jeff Johnson
<jeff.johnson@xxxxxxxxxxxxxxxx> wrote:
>
> On 7/11/2026 12:13 AM, Doruk Tan Ozturk wrote:
> > ath6kl_wmi_connect_event_rx() only checks that the received event is at
> > least sizeof(struct wmi_connect_event); it never checks that the trailing
> > beacon_ie_len + assoc_req_len + assoc_resp_len fields fit within the
> > received buffer. Those attacker/AP-influenced lengths then drive two
> > out-of-bounds accesses:
> >
> > - The WMM information-element scan builds
> > peie = assoc_info + beacon_ie_len + assoc_req_len + assoc_resp_len
> > and walks up to it, reading past the end of the event buffer when the
> > declared lengths exceed the buffer. The walk also dereferences
> > pie[1..6] and pie[1] (for the advance) without checking they stay
> > within peie.
> >
> > - ath6kl_cfg80211_connect_event() subtracts fixed offsets from
> > assoc_req_len (-= 4) and assoc_resp_len (-= 6), both u8, with no lower
> > bound. A short assoc request/response underflows the length to ~250,
> > which cfg80211_connect_result() / cfg80211_roamed() then treat as the
> > IE length and copy out of bounds from the small assoc_info buffer,
> > disclosing adjacent slab memory to user space via nl80211.
> >
> > Bound the declared IE lengths against the received buffer, bound the WMM
> > element reads against peie, and clamp the assoc request/response lengths
> > before the subtraction. The sibling wil6210 driver already performs the
> > equivalent length check for the same WMI connect event.
> >
> > Found by 0sec (https://0sec.ai) using automated source analysis; the
> > missing bounds are evident from source and cross-checked against the
> > sibling wil6210 driver. Compile-tested.
> >
> > Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Assisted-by: 0sec:claude-opus-4-8
> > Signed-off-by: Doruk Tan Ozturk <doruk@xxxxxxx>
>
> Some aspects of your patch are already addressed by:
> https://lore.kernel.org/all/20260421135009.348084-3-tristmd@xxxxxxxxx
>
> So you will need to rebase once that lands.
>
> /jeff