| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120818-CVE-2025-40294-b8e3@gregkh> Date: Mon, 8 Dec 2025 09:47:19 +0900 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40294: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. The Linux kernel CVE team has assigned CVE-2025-40294 to this issue. Affected and fixed versions =========================== Issue introduced in 6.1.83 with commit 99f30e12e588f9982a6eb1916e53510bff25b3b8 and fixed in 6.1.159 with commit 96616530f524a0a76248cd44201de0a9e8526190 Issue introduced in 6.6 with commit db08722fc7d46168fe31d9b8a7b29229dd959f9f and fixed in 6.6.117 with commit 5f7350ff2b179764a4f40ba4161b60b8aaef857b Issue introduced in 6.6 with commit db08722fc7d46168fe31d9b8a7b29229dd959f9f and fixed in 6.12.58 with commit 4b7d4aa5399b5a64caee639275615c63c008540d Issue introduced in 6.6 with commit db08722fc7d46168fe31d9b8a7b29229dd959f9f and fixed in 6.17.8 with commit 3a50d59b3781bc3a4e96533612509546a4c309a7 Issue introduced in 6.6 with commit db08722fc7d46168fe31d9b8a7b29229dd959f9f and fixed in 6.18 with commit 8d59fba49362c65332395789fd82771f1028d87e Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40294 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/net/bluetooth/mgmt.h net/bluetooth/mgmt.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/96616530f524a0a76248cd44201de0a9e8526190 https://git.kernel.org/stable/c/5f7350ff2b179764a4f40ba4161b60b8aaef857b https://git.kernel.org/stable/c/4b7d4aa5399b5a64caee639275615c63c008540d https://git.kernel.org/stable/c/3a50d59b3781bc3a4e96533612509546a4c309a7 https://git.kernel.org/stable/c/8d59fba49362c65332395789fd82771f1028d87e
Powered by blists - more mailing lists