[PATCH v2 0/3] wifi: wcn36xx: fix OOB reads and heap overflow from firmware responses
Jeff Johnson
jeff.johnson at oss.qualcomm.com
Thu Apr 16 17:01:45 PDT 2026
On 4/16/2026 11:39 AM, Johannes Berg wrote:
> On Thu, 2026-04-16 at 09:25 -0700, Jeff Johnson wrote:
>> On 4/15/2026 3:37 PM, Tristan Madani wrote:
>>> From: Tristan Madani <tristan at talencesecurity.com>
>>>
>>> Hi Loic,
>>>
>>> Note: this is a v2 resubmission. The original was sent via Gmail which
>>> caused HTML rendering issues. This version uses git send-email for
>>> proper plain-text formatting.
>>>
>>> Three issues in wcn36xx HAL firmware response handling, including a heap
>>> overflow in the main response dispatcher:
>>>
>>> Proposed fixes in the following patches.
>>>
>>> Thanks,
>>> Tristan
>>
>> Are you able to cause these issues to occur?
>> My expectation is that this is testing things that firmware will never do, and
>> hence this adds code and processing with no actual benefit.
>
> We're not really supposed to completely trust firmware though, right? :)
Like everything else in software there are tradeoffs. You have to mostly trust
firmware since everything it it is doing is on behalf of the driver. So that
is why I'm curious if these issues are actually exploitable, or if this is
just preventative for the sake of being preventative.
/jeff
More information about the wcn36xx
mailing list