From: Jeremy Erazo <mendozayt13@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Marcel Holtmann <marcel@holtmann.org>,
Johan Hedberg <johan.hedberg@gmail.com>,
Claudia Draghicescu <claudia.rosu@nxp.com>,
linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
Jeremy Erazo <mendozayt13@gmail.com>
Subject: [PATCH 2/2 6.1.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
Date: Thu, 2 Jul 2026 14:42:07 +0000 [thread overview]
Message-ID: <20260702144207.320421-3-mendozayt13@gmail.com> (raw)
In-Reply-To: <20260702144207.320421-1-mendozayt13@gmail.com>
commit f4da3ee15de99efa0a68eae1c4d09b4bcc6d9dcd upstream.
Copy the content of a Periodic Advertisement Report to BASE only if
the service UUID is Basic Audio Announcement Service UUID.
[Stable backport rationale]
This fix landed in mainline v6.7 without a Fixes: tag, so the stable
autoselect bot never picked it up. linux-6.1.y HEAD (v6.1.176) still
carries the pre-fix code at net/bluetooth/iso.c:1613:
if (sk) {
memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
iso_pi(sk)->base_len = ev3->length;
}
ev3->length is __u8 and iso_pi(sk)->base is __u8[BASE_MAX_LENGTH] where
BASE_MAX_LENGTH is HCI_MAX_PER_AD_LENGTH(252) - EIR_SERVICE_DATA_LENGTH(4)
= 248. When an attacker within BLE radio range sends an HCI_EV_LE_PER_ADV_REPORT
with ev3->length in [249, 255], the memcpy writes 1 to 7 bytes past the
buffer into the trailing fields of struct iso_pinfo, including the low
bytes of the iso_pi(sk)->conn pointer. FORTIFY_SOURCE flags the write
with "memcpy: detected field-spanning write" but does not block it.
The upstream refactor addresses this by:
1. Filtering via eir_get_service_data() so only the BASE portion of
the PA payload is copied.
2. Bounding the copy with base_len <= sizeof(iso_pi(sk)->base).
Backport notes for 6.1.y:
* eir_get_service_data() is already declared in net/bluetooth/eir.h.
* The header include for eir.h and the EIR_BAA_SERVICE_UUID define
are added here, matching the upstream commit.
* The put_user() addition in iso_sock_getsockopt() that was part of
the same upstream commit is not included; that hunk is a separate
getsockopt correctness fix and is not required for the OOB write
fix (getsockopt(BT_ISO_BASE) is a controlled path that already
validates optlen against sizeof(iso_pi(sk)->base)). Applying the
getsockopt hunk here would risk a user-visible ABI change on a
stable branch.
Reachability: any host with an ISO listening socket bound as a
broadcast sink (LE Audio / Auracast). No pairing required.
Fixes: 9c0826310bfb ("Bluetooth: ISO: Add support for periodic adv reports processing")
Cc: stable@vger.kernel.org # 6.1.y
Signed-off-by: Claudia Draghicescu <claudia.rosu@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[jerazo: backport to 6.1.y; add #include "eir.h" and EIR_BAA_SERVICE_UUID define; drop unrelated getsockopt hunk]
Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
---
net/bluetooth/iso.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 7ea3e6335..6b8622bec 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -14,6 +14,8 @@
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/iso.h>
+#include "eir.h"
+
static const struct proto_ops iso_sock_ops;
static struct bt_sock_list iso_sk_list = {
@@ -46,6 +48,7 @@ static void iso_sock_kill(struct sock *sk);
#define EIR_SERVICE_DATA_LENGTH 4
#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
+#define EIR_BAA_SERVICE_UUID 0x1851
struct iso_pinfo {
struct bt_sock bt;
@@ -1606,12 +1609,16 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
if (ev3) {
+ size_t base_len = ev3->length;
+ u8 *base;
+
sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
iso_match_sync_handle_pa_report, ev3);
-
- if (sk) {
- memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
- iso_pi(sk)->base_len = ev3->length;
+ base = eir_get_service_data(ev3->data, ev3->length,
+ EIR_BAA_SERVICE_UUID, &base_len);
+ if (base && sk && base_len <= sizeof(iso_pi(sk)->base)) {
+ memcpy(iso_pi(sk)->base, base, base_len);
+ iso_pi(sk)->base_len = base_len;
}
} else {
sk = iso_get_sock_listen(&hdev->bdaddr, BDADDR_ANY, NULL, NULL);
--
2.53.0
next prev parent reply other threads:[~2026-07-02 14:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 14:42 [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Jeremy Erazo
2026-07-02 14:42 ` [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
2026-07-02 16:39 ` Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y bluez.test.bot
2026-07-02 14:42 ` Jeremy Erazo [this message]
2026-07-04 2:04 ` [PATCH 0/2] " Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702144207.320421-3-mendozayt13@gmail.com \
--to=mendozayt13@gmail.com \
--cc=claudia.rosu@nxp.com \
--cc=gregkh@linuxfoundation.org \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.von.dentz@intel.com \
--cc=marcel@holtmann.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox