From: Siva Balasubramanian <sivakumar.bs@gmail.com>
To: stable@vger.kernel.org
Cc: tristan@talencesecurity.com, pav@iki.fi,
luiz.von.dentz@intel.com, linux-bluetooth@vger.kernel.org,
Siva Balasubramanian <sivakumar.bs@gmail.com>
Subject: [PATCH 0/2] Bluetooth: btmtk: WMT event length validation (CVE-2026-46140) - 6.6.y backport
Date: Fri, 26 Jun 2026 16:16:02 +0530 [thread overview]
Message-ID: <20260626104604.3465124-1-sivakumar.bs@gmail.com> (raw)
Please consider the following two upstream commits for 6.6.y. They are
present in 6.12.y but missing from 6.6.y (latest checked: v6.6.143),
which contains the offending commit d019930b0049 ("Bluetooth: btmtk:
move btusb_mtk_hci_wmt_sync to btmtk.c") and is therefore affected.
634a4408c061 ("Bluetooth: btmtk: validate WMT event SKB length before
struct access") -- CVE-2026-46140, tagged Cc: stable
e3ac0d9f1a20 ("Bluetooth: btmtk: accept too short WMT FUNC_CTRL
events") -- Fixes the above; regression fix for
real MT7925/MT7922 hardware. Both are needed together.
The first patch fixes an out-of-bounds read: btmtk_usb_hci_wmt_sync()
casts the WMT event response SKB data into struct btmtk_hci_wmt_evt /
struct btmtk_hci_wmt_evt_funcc without checking the SKB length first.
The second patch is the required follow-up: the strict length check
breaks devices that legitimately send a shorter FUNC_CTRL event, so it
must accompany the first.
Both cherry-pick cleanly onto linux-6.6.y at v6.6.143 with no conflicts;
skb_pull_data() is available in 6.6.y. Compile-tested only
(CC [M] drivers/bluetooth/btmtk.o) - no affected hardware available.
Pauli Virtanen (1):
Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
Tristan Madani (1):
Bluetooth: btmtk: validate WMT event SKB length before struct access
drivers/bluetooth/btmtk.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--
2.34.1
next reply other threads:[~2026-06-26 10:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 10:46 Siva Balasubramanian [this message]
2026-06-26 10:46 ` [PATCH 1/2] Bluetooth: btmtk: validate WMT event SKB length before struct access Siva Balasubramanian
2026-06-26 13:14 ` Bluetooth: btmtk: WMT event length validation (CVE-2026-46140) - 6.6.y backport bluez.test.bot
2026-06-26 10:46 ` [PATCH 2/2] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events Siva Balasubramanian
2026-06-27 16:35 ` [PATCH 0/2] Bluetooth: btmtk: WMT event length validation (CVE-2026-46140) - 6.6.y backport Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626104604.3465124-1-sivakumar.bs@gmail.com \
--to=sivakumar.bs@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.von.dentz@intel.com \
--cc=pav@iki.fi \
--cc=stable@vger.kernel.org \
--cc=tristan@talencesecurity.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.