| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABXGCsMeAZyNJ-Axt_CUCXgyieWPV3rrcLpWsveMPT8R0YPGnQ@mail.gmail.com>
Date: Fri, 5 Dec 2025 16:06:09 +0500
From: Mikhail Gavrilov <mikhail.v.gavrilov@...il.com>
To: superm1@...nel.org, Felix Fietkau <nbd@....name>,
Linux List Kernel Mailing <linux-wireless@...r.kernel.org>,
Linux List Kernel Mailing <linux-kernel@...r.kernel.org>,
Linux regressions mailing list <regressions@...ts.linux.dev>
Subject: [REGRESSION] mt76: fortify panic on mt7921e during firmware load (bisected)
Hi,
After updating to a kernel containing commit
f804a5895eba ("wifi: mt76: Strip whitespace from build date")
the MediaTek MT7921e (PCIe) Wi-Fi card triggers a fortify buffer-overrun
warning followed by a kernel BUG/panic very early during boot while the
driver is loading firmware:
[ 22.955210] strnlen: detected buffer overflow: 17 byte read of buffer size 16
[ 22.955519] kernel BUG at lib/string_helpers.c:1043!
[ 22.955523] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
...
[ 22.955544] mt76_connac2_load_patch.cold+0x180/0x1ea [mt76_connac_lib]
[ 22.955560] mt792x_load_firmware+0x85/0x420 [mt792x_lib]
[ 22.955563] mt7921_run_firmware+0x67/0x180 [mt7921_common]
[ 22.955567] mt7921e_mcu_init+0xba/0x18d [mt7921e]
...
Full dmesg and .config are attached (dmesg-6.18.0-559e608c4655.txt,
.config). The system is an ASUS ROG STRIX B650E-I GAMING WIFI with a Ryzen 9
7950 (non-X3D); the Wi-Fi card is the onboard MediaTek MT7921e. Full probe:
https://linux-hardware.org/?probe=e7346d94e1
Bisection cleanly points to the offending commit:
Author: Mario Limonciello (AMD) <superm1@...nel.org>
Date: Thu Nov 20 09:58:27 2025 -0600
wifi: mt76: Strip whitespace from build ddate
On systems I have with mt7925 cards I've been noticing a blank line in my
kernel logs. IE:
```
[ 17.294105] mt7925e 0000:c3:00.0: HW/SW Version: 0x8a108a10,
Build Time: 20250721232852a
[ 17.314233] r8169 0000:c4:00.0 enp196s0f0: Link is Down
```
This is because the build_date from the header has a newline character
as does the dev_info() print. As the firmware isn't guaranteed to always
have a newline but the print is, copy the firmware build date to a
temporary variable and strip any whitespace from it before showing it in
the logs.
Signed-off-by: Mario Limonciello (AMD) <superm1@...nel.org>
Link: https://patch.msgid.link/20251120155829.3494747-1-superm1@kernel.org
Signed-off-by: Felix Fietkau <nbd@....name>
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
Reverting f804a5895eba on top of 559e608c4655 makes the panic disappear
completely and the Wi-Fi card works normally again.
The problem is caused by the new code in mt76_connac_mcu.c that copies
the firmware build-date string into a stack buffer of size 16 and then
calls str_replace(build_date, " ", "") (and later dev_info() with the
modified buffer). The firmware on the MT7921e card apparently contains
a build-date string that is exactly 16 bytes long plus the trailing NUL,
so after the first space is replaced with a NUL the following strim()
(or any other string function) still walks past the end of the 16-byte
buffer when it looks for more whitespace, triggering the fortify check.
I do not have a proposed fix yet, but reverting the commit is a reliable
workaround for now.
#regzbot introduced: f804a5895eba
--
Best Regards,
Mike Gavrilov.
Download attachment "dmesg-6.18.0-559e608c4655.zip" of type "application/zip" (49239 bytes)
Download attachment ".config.zip" of type "application/zip" (70746 bytes)
Powered by blists - more mailing lists