Re: net: wwan: iosm: possible out of bounds read in the MUX downlink decoder

[Loic Poulain]

Hi Maoyi,

On Fri, Jun 19, 2026 at 5:05 AM Maoyi Xie <maoyixie.tju@xxxxxxxxx> wrote:
>
> Hi all,
>
> I think mux_dl_adb_decode() in drivers/net/wwan/iosm/iosm_ipc_mux_codec.c can
> read past the downlink buffer when the modem reports a large table index. I
> would appreciate it if you could take a look.
>
> The decoder takes the table offset straight from the device ADB header.
>
>         block = skb->data;
>         adbh = (struct mux_adbh *)block;
>         adth_index = le32_to_cpu(adbh->first_table_index);
>         if (adth_index < 1)
>                 goto adb_decode_err;
>         ...
>         adth = (struct mux_adth *)(block + adth_index);
>
> first_table_index is a device le32 and the only check is that it is not
> zero. After that adth points at block + adth_index with no upper bound and
> the code reads adth->table_length and the datagram table from there. The
> downlink buffer is IPC_MEM_MAX_DL_MUX_LITE_BUF_SIZE, 2048 bytes, so an index
> past 2048 reads past the slab object.
>
> mux_dl_process_dg() has the same issue further down. It reads
> dg->datagram_index and dg->datagram_length per entry, bounded only by the
> device block_length, which is itself never checked against skb->len.
>
> The protocol layer below only caps the total transfer at the pipe buffer
> size and skb_put()s it, so skb->len is at most 2048, but none of these
> in band offsets and lengths are checked against it.
>
> The data here comes from the modem, so it is device input we should not
> trust, especially with an external or compromised PCIe baseband. It fires on
> a normal downlink receive once the iosm net device is up.
>
> I reproduced the adth_index read under KASAN on 7.1-rc7. With an index that
> fits the buffer the read stays inside. With an index past the buffer KASAN
> reports a slab out of bounds read past the downlink buffer.
>
> The fix I have in mind validates every device offset and length against
> skb->len before use, rejecting an adth_index that leaves no room for a
> struct mux_adth and a datagram that runs past the buffer.
>
> Does this look like a real bug to you? The aggregation decoder has moved
> around over the years, so I am not certain of the exact introducing commit.
> 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support") is the
> broadly cited landing point. I am happy to send a proper patch.

Yes, please submit a fix. This looks like a typical lack of boundary
checking, we should enforce proper sanitization and avoid blindly
trusting firmware.

>
> Thanks,
> Maoyi
> https://maoyixie.com/