t7xx WWAN driver: out-of-bounds read via unvalidated port_count

MediaTek t7xx WWAN driver | Linux kernel | slab OOB read in modem control message handling

Summary

An out-of-bounds read exists in the t7xx WWAN driver due to an unchecked port_count field in a modem-supplied control message. The value is used directly as a loop bound over a flexible array member without validating that the backing buffer contains sufficient data.

Because this message originates from modem firmware via DMA, the kernel assumes structural correctness of fields that are fully attacker-controlled in a compromised modem scenario.

Vulnerability details

The message format:

struct port_msg {
    __le32 head_pattern;
    __le32 info;          // contains port_count
    __le32 tail_pattern;
    __le32 data[];
};

The vulnerable field is extracted as:

port_count = FIELD_GET(PORT_MSG_PRT_CNT,
                       le32_to_cpu(port_msg->info));

It is then used directly as a loop bound:

for (i = 0; i < port_count; i++) {
    u32 port_info = le32_to_cpu(port_msg->data[i]); // OOB READ
}

No check ensures that skb->len is sufficient for port_count entries.

Root cause

The driver assumes that modem-provided metadata fields are internally consistent with buffer size. This assumption is invalid in the presence of a compromised or malicious modem firmware.

Missing constraint:
skb->len >= sizeof(struct port_msg) + (port_count * sizeof(u32))

Crash report (KASAN)

BUG: KASAN: slab-out-of-bounds in t7xx_port_enum_msg_handler+0x1ae/0x1c0
Read of size 4 at addr ffff888008654d8c

Allocated object:
kmalloc-16 (12 bytes used)

[ffff888008654d80, ffff888008654d8c)

OOB occurs at:
base + 0x0c → data[0]

The first out-of-bounds access happens immediately at data[0] when the structure only contains 12 bytes (no flexible array allocation).

Impact

Kernel slab out-of-bounds read
Exposure of adjacent heap memory
Undefined values influencing channel logic
Potential control flow impact in downstream handlers

In worst-case configurations, the loop bound allows reads far beyond the allocated object depending on port_count.

Fix

The correct fix is to validate message length before iterating:

if (skb->len < struct_size(port_msg, data, port_count))
    return -EINVAL;

Optionally enforce an upper bound:

if (port_count > T7XX_MAX_PORTS)
    return -EINVAL;

Affected versions

Linux kernel v5.18-rc1 through latest mainline (April 2026).

Notes

This class of bug is common in modem-facing drivers where DMA-provided control messages are partially validated but not structurally bounded.