lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <572c2a33-18dd-4bf0-8c41-e051d75f481b@molgen.mpg.de>
Date: Thu, 9 Oct 2025 09:01:18 +0200
From: Paul Menzel <pmenzel@...gen.mpg.de>
To: Seungjin Bae <eeodqql09@...il.com>
Cc: Marcel Holtmann <marcel@...tmann.org>,
 Kyungtae Kim <Kyungtae.Kim@...tmouth.edu>,
 Luiz Augusto von Dentz <luiz.dentz@...il.com>, linux-kernel@...r.kernel.org,
 linux-bluetooth@...r.kernel.org
Subject: Re: [PATCH v3] Bluetooth: bfusb: Fix buffer over-read in rx
 processing loop

Dear Seungjin,


Thank you for the patch.

Am 09.10.25 um 04:57 schrieb pip-izony:
> From: Seungjin Bae <eeodqql09@...il.com>
> 
> The bfusb_rx_complete() function parses incoming URB data in a while loop.
> The logic does not sufficiently validate the remaining buffer size(count)
> across loop iterations, which can lead to a buffer over-read.
> 
> For example, with 4-bytes remaining buffer, if the first iteration takes
> the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
> only 2-bytes remain, but the else branch is trying to access the third
> byte(buf[2]). This causes an out-of-bounds read and a potential kernel
> panic.
> 
> This patch fixes the vulnerability by adding checks to ensure enough
> data remains in the buffer before it is accessed.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Seungjin Bae <eeodqql09@...il.com>
> ---
>   v1 -> v2: Fixing the error function name
>   v2 -> v3: Addressing feedback from Paul Menzel
> 
>   drivers/bluetooth/bfusb.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
> index 8df310983bf6..90ca5ab2acc3 100644
> --- a/drivers/bluetooth/bfusb.c
> +++ b/drivers/bluetooth/bfusb.c
> @@ -360,6 +360,12 @@ static void bfusb_rx_complete(struct urb *urb)
>   			count -= 2;
>   			buf   += 2;
>   		} else {
> +			if (count < 3) {
> +				bt_dev_err(data->hdev,
> +				       "block header is too short (count=%d, expected=3)",

Why not: block header count %d < 3 (too short)

> +				       count);
> +				break;
> +			}
>   			len = (buf[2] == 0) ? 256 : buf[2];
>   			count -= 3;
>   			buf   += 3;

Either way:

Reviewed-by: Paul Menzel <pmenzel@...gen.mpg.de>


Kind regards,

Paul

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ