| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251205161202.48409-1-mikhail.v.gavrilov@gmail.com>
Date: Fri, 5 Dec 2025 21:12:02 +0500
From: Mikhail Gavrilov <mikhail.v.gavrilov@...il.com>
To: Mario Limonciello <superm1@...nel.org>
Cc: Felix Fietkau <nbd@....name>,
Lorenzo Bianconi <lorenzo@...nel.org>,
linux-wireless@...r.kernel.org,
linux-mediatek@...ts.infradead.org,
linux-kernel@...r.kernel.org,
Mikhail Gavrilov <mikhail.v.gavrilov@...il.com>
Subject: [PATCH v2] wifi: mt76: Fix strscpy buffer overflow in mt76_connac2_load_patch
Commit f804a5895eba ("wifi: mt76: Strip whitespace from build ddate") introduced
a kernel panic/WARN on systems using MediaTek MT7921e (and potentially others
using mt76_connac_lib) due to an incorrect buffer size calculation.
The error logged is:
"strnlen: detected buffer overflow: 17 byte read of buffer size 16"
This occurs because the field 'hdr->build_date' is a fixed-size array of 16 bytes.
The patch allocated a 17-byte local buffer 'build_date' but used 'sizeof(build_date)'
(17) as the read limit for strscpy, causing Fortify Source to correctly detect
an attempt to read 17 bytes from the 16-byte source field.
To fix this, replace strscpy with memcpy, which is appropriate for raw data
copying, and explicitly use the size of the source field (sizeof(hdr->build_date) = 16)
to limit the read, followed by manual null termination.
Fixes: f804a5895eba ("wifi: mt76: Strip whitespace from build ddate")
Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@...il.com>
---
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
index ea99167765b0..d2c4c65ec464 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
@@ -3125,8 +3125,11 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
}
hdr = (const void *)fw->data;
- strscpy(build_date, hdr->build_date, sizeof(build_date));
- build_date[16] = '\0';
+ /* hdr->build_date is 16 bytes. Copy exactly 16 bytes to the 17-byte buffer,
+ * and then add the null terminator at index 16.
+ */
+ memcpy(build_date, hdr->build_date, sizeof(hdr->build_date));
+ build_date[sizeof(hdr->build_date)] = '\0';
strim(build_date);
dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
be32_to_cpu(hdr->hw_sw_ver), build_date);
--
2.52.0
Powered by blists - more mailing lists