| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025100813-thicken-snowfall-0d4d@gregkh>
Date: Wed, 8 Oct 2025 06:58:22 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: pip-izony <eeodqql09@...il.com>
Cc: Marcel Holtmann <marcel@...tmann.org>,
Kyungtae Kim <Kyungtae.Kim@...tmouth.edu>,
Luiz Augusto von Dentz <luiz.dentz@...il.com>,
linux-kernel@...r.kernel.org, linux-bluetooth@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH] Bluetooth: bfusb: Fix buffer over-read in rx processing
loop
On Tue, Oct 07, 2025 at 07:29:42PM -0400, pip-izony wrote:
> From: Seungjin Bae <eeodqql09@...il.com>
>
> The bfusb_rx_complete() function parses incoming URB data in while loop.
> The logic does not sufficiently validate the remaining buffer size(count)
> accross loop iterations, which can lead to a buffer over-read.
>
> For example, with 4-bytes remaining buffer, if the first iteration takes
> the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
> only 2-bytes remain, but the else branch is trying to access the third
> byte(buf[2]). This causes an out-of-bounds read and a potential kernel panic.
>
> This patch fixes the vulnerability by adding checks to ensure enough
> data remains in the buffer before it is accessed.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Seungjin Bae <eeodqql09@...il.com>
> ---
> drivers/bluetooth/bfusb.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
> index 8df310983bf6..f17eae6dbd7d 100644
> --- a/drivers/bluetooth/bfusb.c
> +++ b/drivers/bluetooth/bfusb.c
> @@ -360,6 +360,10 @@ static void bfusb_rx_complete(struct urb *urb)
> count -= 2;
> buf += 2;
> } else {
> + if (count < 3) {
> + bf_dev_err(data->hdev, "block header is too short");
> + break;
> + }
> len = (buf[2] == 0) ? 256 : buf[2];
> count -= 3;
> buf += 3;
> --
> 2.43.0
>
>
<formletter>
This is not the correct way to submit patches for inclusion in the
stable kernel tree. Please read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.
</formletter>
Powered by blists - more mailing lists