Linux bluetooth development
 help / color / mirror / Atom feed
From: Jeremy Erazo <mendozayt13@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sasha Levin <sashal@kernel.org>,
	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
	Marcel Holtmann <marcel@holtmann.org>,
	Johan Hedberg <johan.hedberg@gmail.com>,
	Claudia Draghicescu <claudia.rosu@nxp.com>,
	linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
	Jeremy Erazo <mendozayt13@gmail.com>
Subject: [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y
Date: Thu,  2 Jul 2026 14:42:05 +0000	[thread overview]
Message-ID: <20260702144207.320421-1-mendozayt13@gmail.com> (raw)

Hi Greg, Sasha, Luiz,

Following the guidance Greg gave on my earlier report to security@kernel.org
(subject: "Bluetooth ISO: unbounded memcpy in iso_connect_ind still in stable
LTS", 2026-07-02) - that this is a stable backport miss rather than a new
security bug - here are the two backports.

Root cause: upstream commit f4da3ee15de99e ("Bluetooth: ISO: Copy BASE if
service data matches EIR_BAA_SERVICE_UUID", 2023-09-28, mainline v6.7)
addressed the OOB write in iso_connect_ind() but landed without a Fixes: tag,
so the stable autoselect bot never picked it up. linux-6.6.y (v6.6.143) and
linux-6.1.y (v6.1.176) both still ship the pre-fix code where ev3->length,
a __u8 in [0, 255], drives memcpy() directly into iso_pi(sk)->base[248].
Values in [249, 255] overflow 1 to 7 bytes into adjacent fields of struct
iso_pinfo, including the low bytes of iso_pi(sk)->conn.  FORTIFY_SOURCE
flags the write but does not block it.

Affected branch matrix (as of today, 2026-07-02):

  * linux-6.6.y  (v6.6.143)  vulnerable  - patch 1/2
  * linux-6.1.y  (v6.1.176)  vulnerable  - patch 2/2
  * linux-5.15.y            NOT affected  - iso_connect_ind PA-report handling
                                            was introduced by commit 9c0826310bfb
                                            in v6.5, after 5.15.y branched.
                                            My earlier email to security@kernel.org
                                            listed 5.15.y in error; please disregard.

Both patches are straight backports of f4da3ee15de99e:

  * 1/2 (6.6.y): applies cleanly.  eir_get_service_data(),
    EIR_BAA_SERVICE_UUID, and the eir.h include are already present in the
    tree, so this is a plain "git apply" of the upstream diff on iso.c.

  * 2/2 (6.1.y): needs a small mechanical adjustment - iso.c in 6.1.y does
    not #include "eir.h" and does not define EIR_BAA_SERVICE_UUID; both are
    added here to match the upstream commit.  eir_get_service_data() itself
    is already declared in net/bluetooth/eir.h on 6.1.y, so no other files
    are touched.  The put_user() correction that upstream f4da3ee15de99e
    also folded into iso_sock_getsockopt() is intentionally omitted; that
    hunk is an unrelated getsockopt correctness fix and dropping it keeps
    the backport minimal and focused on the OOB write.

Reachability of the underlying bug: any host with an ISO listening socket
bound as a broadcast sink (LE Audio / Auracast use case).  No pairing
required, single HCI_EV_LE_PER_ADV_REPORT event within BLE radio range.

Build verification: net/bluetooth/iso.o builds cleanly in both trees with
BT + BT_LE + BT_HCIVHCI enabled on x86_64 defconfig.  No new checkpatch
errors; the two warnings reported are "unknown commit id" (shallow clone)
and one long line in the backport-note paragraph.

I did not include a reproducer or PoC in this series because the fix is
the one Luiz/Claudia already landed upstream and there is no dispute about
the OOB write - the point of the series is only to carry the same fix into
the two LTS branches that missed it.  A userspace reproducer against
/dev/vhci exists locally and is available on request if the maintainers
want to confirm on their side.

Jeremy Erazo (2):
  Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
  Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID

 net/bluetooth/iso.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

--
2.47.3


             reply	other threads:[~2026-07-02 14:42 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 14:42 Jeremy Erazo [this message]
2026-07-02 14:42 ` [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
2026-07-02 16:39   ` Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y bluez.test.bot
2026-07-02 14:42 ` [PATCH 2/2 6.1.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
2026-07-04  2:04 ` [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702144207.320421-1-mendozayt13@gmail.com \
    --to=mendozayt13@gmail.com \
    --cc=claudia.rosu@nxp.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=johan.hedberg@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luiz.von.dentz@intel.com \
    --cc=marcel@holtmann.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox