* [PATCH v2] Bluetooth: eir: Fix stack OOB write when prepending the Flags AD
@ 2026-06-02 17:06 Weiming Shi
2026-06-02 19:14 ` [v2] " bluez.test.bot
2026-06-03 17:50 ` [PATCH v2] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Weiming Shi @ 2026-06-02 17:06 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz
Cc: Arman Uguray, linux-bluetooth, linux-kernel, Xiang Mei,
Weiming Shi
eir_create_adv_data() builds the advertising data into a fixed-size
buffer ("size", 31 for the legacy path). It may prepend a 3-byte "Flags"
AD structure (LE_AD_NO_BREDR on an LE-only controller) and then copies
the per-instance data without checking that it still fits:
memcpy(ptr, adv->adv_data, adv->adv_data_len);
tlv_data_max_len() only reserves those 3 bytes when the user-supplied
flags carry a managed-flags bit, so an instance added with flags == 0 is
accepted with adv_data_len up to the full buffer. At advertise time the
flags are still prepended, and the memcpy() writes 3 + adv_data_len
bytes into the size-byte buffer:
BUG: KASAN: stack-out-of-bounds in eir_create_adv_data (net/bluetooth/eir.c:301)
Write of size 31 at addr ffff88800a547bdc by task kworker/u9:0/65
Workqueue: hci0 hci_cmd_sync_work
__asan_memcpy (mm/kasan/shadow.c:106)
eir_create_adv_data (net/bluetooth/eir.c:301)
hci_update_adv_data_sync (net/bluetooth/hci_sync.c:1310)
hci_schedule_adv_instance_sync (net/bluetooth/hci_sync.c:1817)
hci_cmd_sync_work (net/bluetooth/hci_sync.c:332)
This frame has 1 object:
[32, 64) 'cp'
The "Flags" structure is added by the kernel, not requested by
userspace, so only prepend it when it fits together with the instance
advertising data; when there is no room for both, drop the flags rather
than the user-provided data.
Reachable by a local user with CAP_NET_ADMIN owning an LE-only
controller on the legacy advertising path.
Fixes: b44133ff03be ("Bluetooth: Support the "discoverable" adv flag")
Reported-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
---
v2: drop the kernel-added "Flags" AD when it does not fit with the instance data,
instead of dropping the user data .
net/bluetooth/eir.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/eir.c b/net/bluetooth/eir.c
index 3f72111ba651..1de5f9df6eec 100644
--- a/net/bluetooth/eir.c
+++ b/net/bluetooth/eir.c
@@ -283,10 +283,12 @@ u8 eir_create_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr, u8 size)
if (!flags)
flags |= mgmt_get_adv_discov_flags(hdev);
- /* If flags would still be empty, then there is no need to
- * include the "Flags" AD field".
+ /* Only add the "Flags" if it fits together with the instance
+ * advertising data; drop it rather than overflow the buffer.
*/
- if (flags && (ad_len + eir_precalc_len(1) <= size)) {
+ if (flags &&
+ (ad_len + eir_precalc_len(1) +
+ (adv ? adv->adv_data_len : 0) <= size)) {
ptr[0] = 0x02;
ptr[1] = EIR_FLAGS;
ptr[2] = flags;
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* RE: [v2] Bluetooth: eir: Fix stack OOB write when prepending the Flags AD
2026-06-02 17:06 [PATCH v2] Bluetooth: eir: Fix stack OOB write when prepending the Flags AD Weiming Shi
@ 2026-06-02 19:14 ` bluez.test.bot
2026-06-03 17:50 ` [PATCH v2] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-06-02 19:14 UTC (permalink / raw)
To: linux-bluetooth, bestswngs
[-- Attachment #1: Type: text/plain, Size: 3488 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1104768
---Test result---
Test Summary:
CheckPatch FAIL 0.69 seconds
VerifyFixes PASS 0.11 seconds
VerifySignedoff PASS 0.11 seconds
GitLint FAIL 0.28 seconds
SubjectPrefix PASS 0.11 seconds
BuildKernel PASS 24.67 seconds
CheckAllWarning PASS 27.02 seconds
CheckSparse PASS 26.04 seconds
BuildKernel32 PASS 24.01 seconds
TestRunnerSetup PASS 529.67 seconds
TestRunner_l2cap-tester PASS 60.82 seconds
TestRunner_iso-tester PASS 80.07 seconds
TestRunner_bnep-tester PASS 18.82 seconds
TestRunner_mgmt-tester FAIL 215.41 seconds
TestRunner_rfcomm-tester PASS 25.46 seconds
TestRunner_sco-tester PASS 32.57 seconds
TestRunner_ioctl-tester PASS 26.03 seconds
TestRunner_mesh-tester FAIL 25.87 seconds
TestRunner_smp-tester PASS 27.08 seconds
TestRunner_userchan-tester PASS 19.66 seconds
TestRunner_6lowpan-tester PASS 22.53 seconds
IncrementalBuild PASS 23.19 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[v2] Bluetooth: eir: Fix stack OOB write when prepending the Flags AD
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#136:
Reported-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-8
total: 0 errors, 1 warnings, 0 checks, 15 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14607518.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[v2] Bluetooth: eir: Fix stack OOB write when prepending the Flags AD
8: B3 Line contains hard tab characters (\t): " memcpy(ptr, adv->adv_data, adv->adv_data_len);"
16: B1 Line exceeds max length (82>80): " BUG: KASAN: stack-out-of-bounds in eir_create_adv_data (net/bluetooth/eir.c:301)"
39: B1 Line exceeds max length (81>80): "v2: drop the kernel-added "Flags" AD when it does not fit with the instance data,"
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.247 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.452 seconds
Mesh - Send cancel - 2 Timed out 1.990 seconds
https://github.com/bluez/bluetooth-next/pull/275
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH v2] Bluetooth: eir: Fix stack OOB write when prepending the Flags AD
2026-06-02 17:06 [PATCH v2] Bluetooth: eir: Fix stack OOB write when prepending the Flags AD Weiming Shi
2026-06-02 19:14 ` [v2] " bluez.test.bot
@ 2026-06-03 17:50 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-06-03 17:50 UTC (permalink / raw)
To: Weiming Shi
Cc: marcel, luiz.dentz, armansito, linux-bluetooth, linux-kernel,
xmei5
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Wed, 3 Jun 2026 01:06:21 +0800 you wrote:
> eir_create_adv_data() builds the advertising data into a fixed-size
> buffer ("size", 31 for the legacy path). It may prepend a 3-byte "Flags"
> AD structure (LE_AD_NO_BREDR on an LE-only controller) and then copies
> the per-instance data without checking that it still fits:
>
> memcpy(ptr, adv->adv_data, adv->adv_data_len);
>
> [...]
Here is the summary with links:
- [v2] Bluetooth: eir: Fix stack OOB write when prepending the Flags AD
https://git.kernel.org/bluetooth/bluetooth-next/c/83dc982fad52
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-03 17:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-02 17:06 [PATCH v2] Bluetooth: eir: Fix stack OOB write when prepending the Flags AD Weiming Shi
2026-06-02 19:14 ` [v2] " bluez.test.bot
2026-06-03 17:50 ` [PATCH v2] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox