From: pip-izony <eeodqql09@gmail.com>
To: Marcel Holtmann <marcel@holtmann.org>
Cc: Seungjin Bae <eeodqql09@gmail.com>,
Kyungtae Kim <Kyungtae.Kim@dartmouth.edu>,
Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
linux-kernel@vger.kernel.org, linux-bluetooth@vger.kernel.org
Subject: [PATCH v3] Bluetooth: bfusb: Fix buffer over-read in rx processing loop
Date: Wed, 8 Oct 2025 22:57:01 -0400 [thread overview]
Message-ID: <20251009025701.3756598-2-eeodqql09@gmail.com> (raw)
In-Reply-To: <77bde79f-2080-4e40-a013-52b480c0928c@molgen.mpg.de>
From: Seungjin Bae <eeodqql09@gmail.com>
The bfusb_rx_complete() function parses incoming URB data in a while loop.
The logic does not sufficiently validate the remaining buffer size(count)
across loop iterations, which can lead to a buffer over-read.
For example, with 4-bytes remaining buffer, if the first iteration takes
the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
only 2-bytes remain, but the else branch is trying to access the third
byte(buf[2]). This causes an out-of-bounds read and a potential kernel
panic.
This patch fixes the vulnerability by adding checks to ensure enough
data remains in the buffer before it is accessed.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
v1 -> v2: Fixing the error function name
v2 -> v3: Addressing feedback from Paul Menzel
drivers/bluetooth/bfusb.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
index 8df310983bf6..90ca5ab2acc3 100644
--- a/drivers/bluetooth/bfusb.c
+++ b/drivers/bluetooth/bfusb.c
@@ -360,6 +360,12 @@ static void bfusb_rx_complete(struct urb *urb)
count -= 2;
buf += 2;
} else {
+ if (count < 3) {
+ bt_dev_err(data->hdev,
+ "block header is too short (count=%d, expected=3)",
+ count);
+ break;
+ }
len = (buf[2] == 0) ? 256 : buf[2];
count -= 3;
buf += 3;
--
2.43.0
next prev parent reply other threads:[~2025-10-09 2:57 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-07 23:29 [PATCH] Bluetooth: bfusb: Fix buffer over-read in rx processing loop pip-izony
2025-10-08 1:17 ` bluez.test.bot
2025-10-08 1:56 ` [PATCH v2] " pip-izony
2025-10-08 3:01 ` [v2] " bluez.test.bot
2025-10-08 3:51 ` [PATCH v2] " Paul Menzel
2025-10-09 2:57 ` pip-izony [this message]
2025-10-09 3:50 ` [v3] " bluez.test.bot
2025-10-09 7:01 ` [PATCH v3] " Paul Menzel
2025-10-09 16:48 ` [PATCH v4] " pip-izony
2025-10-09 17:14 ` Luiz Augusto von Dentz
2025-10-09 17:34 ` [v4] " bluez.test.bot
2025-10-08 4:58 ` [PATCH] " Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251009025701.3756598-2-eeodqql09@gmail.com \
--to=eeodqql09@gmail.com \
--cc=Kyungtae.Kim@dartmouth.edu \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox