Hacker News new | ask | show | jobs
by qhwudbebd 641 days ago
The wording of the headline is a bit misleading here. I followed the link thinking it might be a firmware or silicon bug as I have a couple of routers at home with mt76 wifi, but was relieved to find it's just a bug in the vendor's 'sdk' shovelware. I'm baffled that anyone even thought about using that, given there's such good mt76 support from mainline kernels with hostapd.
2 comments
Terretta 641 days ago
> relieved to find it's just a bug in the vendor's 'sdk' shovelware

Vendors plural to worry about:

“…driver bundles used in products from various manufacturers, including [but not limited to] Ubiquiti, Xiaomi and Netgear.”

That said, vendors (plural) say no products use this, e.g. Ubiquiti:

https://community.ui.com/questions/CVE-2024-20017/b3f1a425-d...

link
qhwudbebd 641 days ago
Sorry, yes, my use of 'vendor' here was ambiguous. I meant Mediatek, the chipset vendor.
link
vesinisa 641 days ago
> I'm baffled that anyone even thought about using that, given there's such good mt76 support from mainline kernels with hostapd.

Not sure if you noticed but the OpenWRT 21.02.x series (based on mainline kernel 5.4 series) is affected, and these guys generally know their game when it comes to wireless on Linux. So much so that I think the mainline kernel mt76 driver is actually maintained by an OpenWRT developer.

link
mbilker 641 days ago
Upstream OpenWrt does not use `wappd` so it should not be affected.
link
vesinisa 641 days ago
Interesting. The bulletin lists "OpenWrt 19.07, 21.02 (for MT6890)" as vulnerable, but OpenWRT had indeed no security advisory out for this:

https://openwrt.org/advisory/start

Maybe MediaTek has shipped some modified versions of OpenWRT using this "wappd" thing to their B2B customers (as part of the SDK perhaps?) and are now advertising those as vulnerable.

link
qhwudbebd 641 days ago
Yes, I'm assuming that's exactly why OpenWrt is mentioned but it's very misleading.

The OpenWrt folks generally have good enough taste not to ship any drivers or userspace junk from vendor SDKs, though they do have a fair-sized set of backport patches on top of the (somewhat elderly) mainline kernels they do ship.

I'm running up-to-date mainline on my routers, not OpenWrt kernels. The mt76 support in 6.11 (and previously in 6.9 and 6.10) is complete enough that I don't need to carry any patches at all over what's in Linus' tree.

link