[PATCH] Bluetooth: btintel_pcie: validate RX packet length against buffer size

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Bluetooth: btintel_pcie: validate RX packet length against buffer size
@ 2026-03-17  6:04 moonafterrain
  2026-03-17  7:00 ` bluez.test.bot
  2026-03-18  9:12 ` [PATCH] " Paul Menzel
  0 siblings, 2 replies; 4+ messages in thread
From: moonafterrain @ 2026-03-17  6:04 UTC (permalink / raw)
  To: Marcel Holtmann, Luiz Augusto von Dentz, Kiran K,
	Tedd Ho-Jeong An
  Cc: Luiz Augusto von Dentz, linux-bluetooth, linux-kernel,
	Yuhao Jiang, stable, Junrui Luo

btintel_pcie_submit_rx_work() reads packet_len from an rfh_hdr in
DMA-coherent memory and uses it as the length for skb_put_data() without
upper bound validation. Since packet_len is a 16-bit field (0-65535) but
each RX DMA buffer is only BTINTEL_PCIE_BUFFER_SIZE (4096) bytes, a
malicious or malfunctioning firmware could set a large packet_len,
causing an out-of-bounds read beyond the buffer into adjacent kernel
heap memory.

Add a check that packet_len does not exceed the available payload space
alongside the existing zero-length check.

Fixes: c2b636b3f788 ("Bluetooth: btintel_pcie: Add support for PCIe transport")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
---
 drivers/bluetooth/btintel_pcie.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
index 37b744e35bc4..9dd02e8af2a0 100644
--- a/drivers/bluetooth/btintel_pcie.c
+++ b/drivers/bluetooth/btintel_pcie.c
@@ -1360,7 +1360,8 @@ static int btintel_pcie_submit_rx_work(struct btintel_pcie_data *data, u8 status
 	rfh_hdr = buf;
 
 	len = rfh_hdr->packet_len;
-	if (len <= 0) {
+	if (len <= 0 ||
+	    len > BTINTEL_PCIE_BUFFER_SIZE - sizeof(*rfh_hdr)) {
 		ret = -EINVAL;
 		goto resubmit;
 	}

---
base-commit: f338e77383789c0cae23ca3d48adcc5e9e137e3c
change-id: 20260317-fixes-2efba1c4768b

Best regards,
-- 
Junrui Luo <moonafterrain@outlook.com>


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* RE: Bluetooth: btintel_pcie: validate RX packet length against buffer size
  2026-03-17  6:04 [PATCH] Bluetooth: btintel_pcie: validate RX packet length against buffer size moonafterrain
@ 2026-03-17  7:00 ` bluez.test.bot
  2026-03-18  9:12 ` [PATCH] " Paul Menzel
  1 sibling, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-03-17  7:00 UTC (permalink / raw)
  To: linux-bluetooth, moonafterrain

[-- Attachment #1: Type: text/plain, Size: 2833 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1067754

---Test result---

Test Summary:
CheckPatch                    PENDING   0.33 seconds
GitLint                       PENDING   0.22 seconds
SubjectPrefix                 PASS      0.12 seconds
BuildKernel                   PASS      26.42 seconds
CheckAllWarning               PASS      28.71 seconds
CheckSparse                   PASS      27.52 seconds
BuildKernel32                 PASS      25.53 seconds
TestRunnerSetup               PASS      573.77 seconds
TestRunner_l2cap-tester       PASS      28.55 seconds
TestRunner_iso-tester         FAIL      36.80 seconds
TestRunner_bnep-tester        PASS      6.50 seconds
TestRunner_mgmt-tester        FAIL      115.39 seconds
TestRunner_rfcomm-tester      PASS      9.53 seconds
TestRunner_sco-tester         FAIL      14.39 seconds
TestRunner_ioctl-tester       PASS      10.27 seconds
TestRunner_mesh-tester        FAIL      12.58 seconds
TestRunner_smp-tester         PASS      8.90 seconds
TestRunner_userchan-tester    PASS      6.87 seconds
IncrementalBuild              PENDING   0.47 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:
BUG: KASAN: slab-use-after-free in le_read_features_complete+0x7e/0x2b0
Total: 141, Passed: 141 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.105 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.676 seconds
Mesh - Send cancel - 2                               Timed out    1.992 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] Bluetooth: btintel_pcie: validate RX packet length against buffer size
  2026-03-17  6:04 [PATCH] Bluetooth: btintel_pcie: validate RX packet length against buffer size moonafterrain
  2026-03-17  7:00 ` bluez.test.bot
@ 2026-03-18  9:12 ` Paul Menzel
  2026-03-19  3:07   ` Junrui Luo
  1 sibling, 1 reply; 4+ messages in thread
From: Paul Menzel @ 2026-03-18  9:12 UTC (permalink / raw)
  To: moonafterrain
  Cc: Marcel Holtmann, Luiz Augusto von Dentz, Kiran K,
	Tedd Ho-Jeong An, Luiz Augusto von Dentz, linux-bluetooth,
	linux-kernel, Yuhao Jiang, stable

Dear Junrui,


Thank you for your patch. It be great if you configured your name in the 
author line – currently it only contains the address:

     From: moonafterrain@outlook.com

No idea, why b4 is not doing it.

Am 17.03.26 um 07:04 schrieb moonafterrain@outlook.com:
> btintel_pcie_submit_rx_work() reads packet_len from an rfh_hdr in
> DMA-coherent memory and uses it as the length for skb_put_data() without
> upper bound validation. Since packet_len is a 16-bit field (0-65535) but
> each RX DMA buffer is only BTINTEL_PCIE_BUFFER_SIZE (4096) bytes, a
> malicious or malfunctioning firmware could set a large packet_len,
> causing an out-of-bounds read beyond the buffer into adjacent kernel
> heap memory.
> 
> Add a check that packet_len does not exceed the available payload space
> alongside the existing zero-length check.

Do you have a reproducer or test case for this issue?

> Fixes: c2b636b3f788 ("Bluetooth: btintel_pcie: Add support for PCIe transport")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
> ---
>   drivers/bluetooth/btintel_pcie.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
> index 37b744e35bc4..9dd02e8af2a0 100644
> --- a/drivers/bluetooth/btintel_pcie.c
> +++ b/drivers/bluetooth/btintel_pcie.c
> @@ -1360,7 +1360,8 @@ static int btintel_pcie_submit_rx_work(struct btintel_pcie_data *data, u8 status
>   	rfh_hdr = buf;
>   
>   	len = rfh_hdr->packet_len;
> -	if (len <= 0) {
> +	if (len <= 0 ||
> +	    len > BTINTEL_PCIE_BUFFER_SIZE - sizeof(*rfh_hdr)) {
>   		ret = -EINVAL;

As this seems a broken or malicious firmware, no idea, if it’d make 
sense to log it.

>   		goto resubmit;
>   	}

The diff looks good:

Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>


Kind regards,

Paul

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] Bluetooth: btintel_pcie: validate RX packet length against buffer size
  2026-03-18  9:12 ` [PATCH] " Paul Menzel
@ 2026-03-19  3:07   ` Junrui Luo
  0 siblings, 0 replies; 4+ messages in thread
From: Junrui Luo @ 2026-03-19  3:07 UTC (permalink / raw)
  To: Paul Menzel
  Cc: Marcel Holtmann, Luiz Augusto von Dentz, Kiran K,
	Tedd Ho-Jeong An, Luiz Augusto von Dentz,
	linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
	Yuhao Jiang, stable@vger.kernel.org

Hi Paul, 


Thanks for the review.

On Wed, Mar 18, 2026 at 10:12:35AM +0100, Paul Menzel wrote:
> Thank you for your patch. It be great if you configured your name in the
> author line – currently it only contains the address:
> 
>     From: moonafterrain@outlook.com
> 
> No idea, why b4 is not doing it.

Sorry about that. I will fix in v2.

> Do you have a reproducer or test case for this issue?

This was found through static analysis. It can be triggered
theoretically by a malicious or broken device.

> As this seems a broken or malicious firmware, no idea, if it’d make sense to
> log it.

Would it make sense to add a bt_dev_warn() to log the invalid
packet_len? If so, I will include it in v2.

Thanks,
Junrui Luo

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-03-19  3:07 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-17  6:04 [PATCH] Bluetooth: btintel_pcie: validate RX packet length against buffer size moonafterrain
2026-03-17  7:00 ` bluez.test.bot
2026-03-18  9:12 ` [PATCH] " Paul Menzel
2026-03-19  3:07   ` Junrui Luo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox