[PATCH 0/2] wifi: mt76: bound the device-reported EEPROM address

Next message: Gokul Praveen: "[PATCH 1/3] arm64: dts: ti: Add PLL1 refclk to J784S4 SoC SERDES node"
Previous message: Gokul Praveen: "[PATCH 3/3] arm64: dts: ti: k3-j784s4: Add overlay for dual port USXGMII+SGMII mode"
Next in thread: Bryam Vargas via B4 Relay: "[PATCH 1/2] wifi: mt76: mt7915: bound the device EEPROM address before the EFUSE copy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bryam Vargas via B4 Relay

Date: Thu Jun 25 2026 - 08:10:41 EST

Both mt76 get_eeprom handlers copy a device-reported EFUSE block into
dev->mt76.eeprom.data at an offset taken from the MCU response (res->addr /
event->addr, a device-controlled __le32). They clamp the copy length but
never the destination offset, so an adapter that reports an out-of-range
address drives an out-of-bounds write past eeprom.data -- 16 bytes on mt7915,
up to 1024 on mt7996. Both patches reject such an address before deriving the
pointer; a device that echoes the requested in-bounds offset is unaffected.

It is adapter-side only -- there is no unprivileged user path -- so this
hardens against a malicious or compromised device, not a remote attacker.

An out-of-tree KASAN module that reproduces each handler's destination
arithmetic faults the unpatched path (slab-out-of-bounds write past
eeprom.data) and runs clean both with the bound and on an in-range control.

---
Bryam Vargas (2):
wifi: mt76: mt7915: bound the device EEPROM address before the EFUSE copy
wifi: mt76: mt7996: bound the device EEPROM address before the EFUSE copy

drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 11 +++++++++--
drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 9 ++++++++-
2 files changed, 17 insertions(+), 3 deletions(-)
---
base-commit: 502d801f0ab03e4f32f9a33d203154ce84887921
change-id: 20260625-b4-disp-16f99062-0dd6169db97b

Best regards,
--
Bryam Vargas <hexlabsecurity@xxxxxxxxx>