* [PATCH] Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req
@ 2026-03-15 13:14 Minseo Park
2026-03-15 14:06 ` bluez.test.bot
2026-03-16 20:00 ` [PATCH] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Minseo Park @ 2026-03-15 13:14 UTC (permalink / raw)
To: marcel, luiz.dentz
Cc: linux-bluetooth, linux-kernel, syzbot+b7f3e7d9a596bf6a63e3,
Minseo Park
Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd()
that is triggered by a malformed Enhanced Credit Based Connection Request.
The vulnerability stems from l2cap_ecred_conn_req(). The function allocates
a local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel
IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more
than 5 SCIDs, the function calculates `rsp_len` based on this unvalidated
`cmd_len` before checking if the number of SCIDs exceeds
L2CAP_ECRED_MAX_CID.
If the SCID count is too high, the function correctly jumps to the
`response` label to reject the packet, but `rsp_len` retains the
attacker's oversized value. Consequently, l2cap_send_cmd() is instructed
to read past the end of the 18-byte `pdu` buffer, triggering a
KASAN panic.
Fix this by moving the assignment of `rsp_len` to after the `num_scid`
boundary check. If the packet is rejected, `rsp_len` will safely
remain 0, and the error response will only read the 8-byte base header
from the stack.
Fixes: c28d2bff7044 ("Bluetooth: L2CAP: Fix result of L2CAP_ECRED_CONN_RSP when MTU is too short")
Reported-by: syzbot+b7f3e7d9a596bf6a63e3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b7f3e7d9a596bf6a63e3
Tested-by: syzbot+b7f3e7d9a596bf6a63e3@syzkaller.appspotmail.com
Signed-off-by: Minseo Park <jacob.park.9436@gmail.com>
---
net/bluetooth/l2cap_core.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index ad98db9632fd..abd091155d04 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5075,14 +5075,14 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
cmd_len -= sizeof(*req);
num_scid = cmd_len / sizeof(u16);
- /* Always respond with the same number of scids as in the request */
- rsp_len = cmd_len;
-
if (num_scid > L2CAP_ECRED_MAX_CID) {
result = L2CAP_CR_LE_INVALID_PARAMS;
goto response;
}
+ /* Always respond with the same number of scids as in the request */
+ rsp_len = cmd_len;
+
mtu = __le16_to_cpu(req->mtu);
mps = __le16_to_cpu(req->mps);
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* RE: Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req
2026-03-15 13:14 [PATCH] Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req Minseo Park
@ 2026-03-15 14:06 ` bluez.test.bot
2026-03-16 20:00 ` [PATCH] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-03-15 14:06 UTC (permalink / raw)
To: linux-bluetooth, jacob.park.9436
[-- Attachment #1: Type: text/plain, Size: 2961 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1066903
---Test result---
Test Summary:
CheckPatch PENDING 0.39 seconds
GitLint PENDING 0.25 seconds
SubjectPrefix PASS 0.08 seconds
BuildKernel PASS 26.38 seconds
CheckAllWarning PASS 29.04 seconds
CheckSparse WARNING 33.50 seconds
BuildKernel32 PASS 25.85 seconds
TestRunnerSetup PASS 571.72 seconds
TestRunner_l2cap-tester PASS 29.16 seconds
TestRunner_iso-tester PASS 98.92 seconds
TestRunner_bnep-tester PASS 6.54 seconds
TestRunner_mgmt-tester FAIL 128.59 seconds
TestRunner_rfcomm-tester PASS 9.68 seconds
TestRunner_sco-tester FAIL 15.05 seconds
TestRunner_ioctl-tester PASS 10.42 seconds
TestRunner_mesh-tester FAIL 12.39 seconds
TestRunner_smp-tester PASS 8.79 seconds
TestRunner_userchan-tester PASS 6.86 seconds
IncrementalBuild PENDING 0.52 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/l2cap_core.c:7798:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7799:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7801:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7802:1: error: bad constant expression
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.120 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.528 seconds
Mesh - Send cancel - 2 Timed out 1.996 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req
2026-03-15 13:14 [PATCH] Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req Minseo Park
2026-03-15 14:06 ` bluez.test.bot
@ 2026-03-16 20:00 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-03-16 20:00 UTC (permalink / raw)
To: Minseo Park
Cc: marcel, luiz.dentz, linux-bluetooth, linux-kernel,
syzbot+b7f3e7d9a596bf6a63e3
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Sun, 15 Mar 2026 22:14:37 +0900 you wrote:
> Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd()
> that is triggered by a malformed Enhanced Credit Based Connection Request.
>
> The vulnerability stems from l2cap_ecred_conn_req(). The function allocates
> a local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel
> IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more
> than 5 SCIDs, the function calculates `rsp_len` based on this unvalidated
> `cmd_len` before checking if the number of SCIDs exceeds
> L2CAP_ECRED_MAX_CID.
>
> [...]
Here is the summary with links:
- Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req
https://git.kernel.org/bluetooth/bluetooth-next/c/6ec1f2e822b2
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-03-16 20:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-15 13:14 [PATCH] Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req Minseo Park
2026-03-15 14:06 ` bluez.test.bot
2026-03-16 20:00 ` [PATCH] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox