From: Jeremy Erazo <mendozayt13@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Marcel Holtmann <marcel@holtmann.org>,
Johan Hedberg <johan.hedberg@gmail.com>,
Claudia Draghicescu <claudia.rosu@nxp.com>,
linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
Jeremy Erazo <mendozayt13@gmail.com>
Subject: [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y
Date: Thu, 2 Jul 2026 14:42:05 +0000 [thread overview]
Message-ID: <20260702144207.320421-1-mendozayt13@gmail.com> (raw)
Hi Greg, Sasha, Luiz,
Following the guidance Greg gave on my earlier report to security@kernel.org
(subject: "Bluetooth ISO: unbounded memcpy in iso_connect_ind still in stable
LTS", 2026-07-02) - that this is a stable backport miss rather than a new
security bug - here are the two backports.
Root cause: upstream commit f4da3ee15de99e ("Bluetooth: ISO: Copy BASE if
service data matches EIR_BAA_SERVICE_UUID", 2023-09-28, mainline v6.7)
addressed the OOB write in iso_connect_ind() but landed without a Fixes: tag,
so the stable autoselect bot never picked it up. linux-6.6.y (v6.6.143) and
linux-6.1.y (v6.1.176) both still ship the pre-fix code where ev3->length,
a __u8 in [0, 255], drives memcpy() directly into iso_pi(sk)->base[248].
Values in [249, 255] overflow 1 to 7 bytes into adjacent fields of struct
iso_pinfo, including the low bytes of iso_pi(sk)->conn. FORTIFY_SOURCE
flags the write but does not block it.
Affected branch matrix (as of today, 2026-07-02):
* linux-6.6.y (v6.6.143) vulnerable - patch 1/2
* linux-6.1.y (v6.1.176) vulnerable - patch 2/2
* linux-5.15.y NOT affected - iso_connect_ind PA-report handling
was introduced by commit 9c0826310bfb
in v6.5, after 5.15.y branched.
My earlier email to security@kernel.org
listed 5.15.y in error; please disregard.
Both patches are straight backports of f4da3ee15de99e:
* 1/2 (6.6.y): applies cleanly. eir_get_service_data(),
EIR_BAA_SERVICE_UUID, and the eir.h include are already present in the
tree, so this is a plain "git apply" of the upstream diff on iso.c.
* 2/2 (6.1.y): needs a small mechanical adjustment - iso.c in 6.1.y does
not #include "eir.h" and does not define EIR_BAA_SERVICE_UUID; both are
added here to match the upstream commit. eir_get_service_data() itself
is already declared in net/bluetooth/eir.h on 6.1.y, so no other files
are touched. The put_user() correction that upstream f4da3ee15de99e
also folded into iso_sock_getsockopt() is intentionally omitted; that
hunk is an unrelated getsockopt correctness fix and dropping it keeps
the backport minimal and focused on the OOB write.
Reachability of the underlying bug: any host with an ISO listening socket
bound as a broadcast sink (LE Audio / Auracast use case). No pairing
required, single HCI_EV_LE_PER_ADV_REPORT event within BLE radio range.
Build verification: net/bluetooth/iso.o builds cleanly in both trees with
BT + BT_LE + BT_HCIVHCI enabled on x86_64 defconfig. No new checkpatch
errors; the two warnings reported are "unknown commit id" (shallow clone)
and one long line in the backport-note paragraph.
I did not include a reproducer or PoC in this series because the fix is
the one Luiz/Claudia already landed upstream and there is no dispute about
the OOB write - the point of the series is only to carry the same fix into
the two LTS branches that missed it. A userspace reproducer against
/dev/vhci exists locally and is available on request if the maintainers
want to confirm on their side.
Jeremy Erazo (2):
Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
net/bluetooth/iso.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
--
2.47.3
next reply other threads:[~2026-07-02 14:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 14:42 Jeremy Erazo [this message]
2026-07-02 14:42 ` [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
2026-07-02 16:39 ` Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y bluez.test.bot
2026-07-02 14:42 ` [PATCH 2/2 6.1.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
2026-07-04 2:04 ` [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702144207.320421-1-mendozayt13@gmail.com \
--to=mendozayt13@gmail.com \
--cc=claudia.rosu@nxp.com \
--cc=gregkh@linuxfoundation.org \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.von.dentz@intel.com \
--cc=marcel@holtmann.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox