[PATCH] wifi: mt76: fix buffer overflow bug
Harry Austen
hpausten at protonmail.com
Mon Dec 22 10:05:33 PST 2025
Prevents attempting to read an extra byte from the origin string.
Example stacktrace:
------------[ cut here ]------------
strnlen: detected buffer overflow: 17 byte read of buffer size 16
WARNING: lib/string_helpers.c:1036 at __fortify_report+0x2d/0x50, CPU#0: kworker/0:0/9
Modules linked in:
CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.19.0-rc2+ #13 PREEMPT(full)
Hardware name: Micro-Star International Co., Ltd. MS-7E24/B650M GAMING PLUS WIFI (MS-7E24), BIOS 1.C2 08/06/2025
Workqueue: events mt7921_init_work
RIP: 0010:__fortify_report+0x3f/0x50
Code: b6 c1 48 c7 c1 93 60 c0 95 48 8b 34 c5 50 9c 2a 95 48 8d 05 03 1f ee 01 40 f6 c7 01 48 c7 c7 3c 66 c4 95 48 0f 44 cf 48 89 c7 <67> 48 0f b9 3a c3 cc cc cc cc cc cc cc cc cc cc cc ba 2f 00 00 00
RSP: 0018:ffff9f370019fcd0 EFLAGS: 00010246
RAX: ffffffff9636a210 RBX: ffff9420525b1ea0 RCX: ffffffff95c4663c
RDX: 0000000000000011 RSI: ffffffff95cf5242 RDI: ffffffff9636a210
RBP: ffff9f370019fd70 R08: 0000000000000010 R09: ffff9f370019fbf1
R10: 0000000000000004 R11: 0000000000000000 R12: ffffffff95bb3ca3
R13: ffff9420525bb101 R14: 0000000000000000 R15: 00000000ffffffea
FS: 0000000000000000(0000) GS:ffff9427c79ae000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff942526a01000 CR3: 00000005e5a2c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
__fortify_panic+0x5/0x10
mt76_connac2_load_patch+0x34f/0x360
? update_load_avg+0x1f1/0x840
mt792x_load_firmware+0x35/0x150
mt7921_run_firmware+0x28/0x4c0
? _raw_spin_unlock+0x12/0x30
? ____mt76_poll_msec+0x53/0xa0
mt7921e_mcu_init+0xba/0x100
mt7921_init_work+0x70/0x1c0
process_scheduled_works+0x1f0/0x420
worker_thread+0x296/0x370
? pr_cont_work+0x1c0/0x1c0
kthread+0x213/0x240
? kthread_blkcg+0x40/0x40
ret_from_fork+0xfa/0x1c0
? kthread_blkcg+0x40/0x40
ret_from_fork_asm+0x11/0x20
</TASK>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kernel BUG at lib/string_helpers.c:1043!
Oops: invalid opcode: 0000 [#1] SMP NOPTI
CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Tainted: G W 6.19.0-rc2+ #13 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: Micro-Star International Co., Ltd. MS-7E24/B650M GAMING PLUS WIFI (MS-7E24), BIOS 1.C2 08/06/2025
Workqueue: events mt7921_init_work
RIP: 0010:__fortify_panic+0x5/0x10
Code: 1d 00 00 00 48 89 df 48 c7 c6 72 68 c8 95 5b 41 5e 41 5f e9 dd c2 4a 00 cc cc cc cc cc cc cc cc cc cc cc cc cc e8 bb b3 87 00 <0f> 0b cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 55 48 89 e5 41 56
RSP: 0018:ffff9f370019fcd8 EFLAGS: 00010246
RAX: ffffffff9636a210 RBX: ffff9420525b1ea0 RCX: ffffffff95c4663c
RDX: 0000000000000011 RSI: ffffffff95cf5242 RDI: ffffffff9636a210
RBP: ffff9f370019fd70 R08: 0000000000000010 R09: ffff9f370019fbf1
R10: 0000000000000004 R11: 0000000000000000 R12: ffffffff95bb3ca3
R13: ffff9420525bb101 R14: 0000000000000000 R15: 00000000ffffffea
FS: 0000000000000000(0000) GS:ffff9427c79ae000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff942526a01000 CR3: 00000005e5a2c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
mt76_connac2_load_patch+0x34f/0x360
? update_load_avg+0x1f1/0x840
mt792x_load_firmware+0x35/0x150
mt7921_run_firmware+0x28/0x4c0
? _raw_spin_unlock+0x12/0x30
? ____mt76_poll_msec+0x53/0xa0
mt7921e_mcu_init+0xba/0x100
mt7921_init_work+0x70/0x1c0
process_scheduled_works+0x1f0/0x420
worker_thread+0x296/0x370
? pr_cont_work+0x1c0/0x1c0
kthread+0x213/0x240
? kthread_blkcg+0x40/0x40
ret_from_fork+0xfa/0x1c0
? kthread_blkcg+0x40/0x40
ret_from_fork_asm+0x11/0x20
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__fortify_panic+0x5/0x10
Code: 1d 00 00 00 48 89 df 48 c7 c6 72 68 c8 95 5b 41 5e 41 5f e9 dd c2 4a 00 cc cc cc cc cc cc cc cc cc cc cc cc cc e8 bb b3 87 00 <0f> 0b cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 55 48 89 e5 41 56
RSP: 0018:ffff9f370019fcd8 EFLAGS: 00010246
RAX: ffffffff9636a210 RBX: ffff9420525b1ea0 RCX: ffffffff95c4663c
RDX: 0000000000000011 RSI: ffffffff95cf5242 RDI: ffffffff9636a210
RBP: ffff9f370019fd70 R08: 0000000000000010 R09: ffff9f370019fbf1
R10: 0000000000000004 R11: 0000000000000000 R12: ffffffff95bb3ca3
R13: ffff9420525bb101 R14: 0000000000000000 R15: 00000000ffffffea
FS: 0000000000000000(0000) GS:ffff9427c79ae000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff942526a01000 CR3: 00000005e5a2c000 CR4: 0000000000750ef0
PKRU: 55555554
Fixes: f804a5895eba ("wifi: mt76: Strip whitespace from build ddate")
Signed-off-by: Harry Austen <hpausten at protonmail.com>
---
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
index ea99167765b0c..b735b3671fab5 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
@@ -3101,7 +3101,7 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
int i, ret, sem, max_len = mt76_is_sdio(dev) ? 2048 : 4096;
const struct mt76_connac2_patch_hdr *hdr;
const struct firmware *fw = NULL;
- char build_date[17];
+ char build_date[sizeof(hdr->build_date) + 1];
sem = mt76_connac_mcu_patch_sem_ctrl(dev, true);
switch (sem) {
@@ -3125,8 +3125,8 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
}
hdr = (const void *)fw->data;
- strscpy(build_date, hdr->build_date, sizeof(build_date));
- build_date[16] = '\0';
+ strscpy(build_date, hdr->build_date, sizeof(hdr->build_date));
+ build_date[sizeof(hdr->build_date)] = '\0';
strim(build_date);
dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
be32_to_cpu(hdr->hw_sw_ver), build_date);
--
2.52.0
More information about the Linux-mediatek
mailing list