* [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
@ 2026-04-17 10:46 Tristan Madani
2026-04-17 12:08 ` [v3] " bluez.test.bot
2026-04-17 12:55 ` [PATCH v3] " Neal Gompa
0 siblings, 2 replies; 3+ messages in thread
From: Tristan Madani @ 2026-04-17 10:46 UTC (permalink / raw)
To: linux-bluetooth; +Cc: luiz.dentz, marcel, sven, marcan, asahi, stable
From: Tristan Madani <tristan@talencesecurity.com>
The firmware-controlled entry->len is used as the memcpy size for inline
payload data without bounds checking when the PAYLOAD_MAPPED flag is not
set. This causes out-of-bounds reads from the completion ring DMA memory
for the HCI_D2H and SCO_D2H transfer rings.
Add a length validation against the completion ring payload_size.
Fixes: 8a06127602de ("Bluetooth: hci_bcm4377: Add new driver for BCM4377 PCIe boards")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/bluetooth/hci_bcm4377.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/bluetooth/hci_bcm4377.c b/drivers/bluetooth/hci_bcm4377.c
index 925d0a635..5d2f594c2 100644
--- a/drivers/bluetooth/hci_bcm4377.c
+++ b/drivers/bluetooth/hci_bcm4377.c
@@ -755,6 +755,13 @@ static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
msg_id = le16_to_cpu(entry->msg_id);
transfer_ring = le16_to_cpu(entry->ring_id);
+ if (data_len > ring->payload_size) {
+ dev_warn(&bcm4377->pdev->dev,
+ "event data len %zu exceeds payload size %zu for ring %d\n",
+ data_len, ring->payload_size, ring->ring_id);
+ return;
+ }
+
if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
dev_warn(
&bcm4377->pdev->dev,
--
2.47.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: [v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
@ 2026-04-17 12:08 ` bluez.test.bot
2026-04-17 12:55 ` [PATCH v3] " Neal Gompa
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-04-17 12:08 UTC (permalink / raw)
To: linux-bluetooth, tristmd
[-- Attachment #1: Type: text/plain, Size: 881 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1082469
---Test result---
Test Summary:
CheckPatch PASS 0.74 seconds
GitLint PASS 0.34 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 27.35 seconds
CheckAllWarning PASS 29.94 seconds
CheckSparse PASS 29.01 seconds
BuildKernel32 PASS 26.57 seconds
TestRunnerSetup PASS 588.93 seconds
IncrementalBuild PASS 26.60 seconds
https://github.com/bluez/bluetooth-next/pull/99
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
2026-04-17 12:08 ` [v3] " bluez.test.bot
@ 2026-04-17 12:55 ` Neal Gompa
1 sibling, 0 replies; 3+ messages in thread
From: Neal Gompa @ 2026-04-17 12:55 UTC (permalink / raw)
To: Tristan Madani
Cc: linux-bluetooth, luiz.dentz, marcel, sven, marcan, asahi, stable
On Fri, Apr 17, 2026 at 6:49 AM Tristan Madani <tristmd@gmail.com> wrote:
>
> From: Tristan Madani <tristan@talencesecurity.com>
>
> The firmware-controlled entry->len is used as the memcpy size for inline
> payload data without bounds checking when the PAYLOAD_MAPPED flag is not
> set. This causes out-of-bounds reads from the completion ring DMA memory
> for the HCI_D2H and SCO_D2H transfer rings.
>
> Add a length validation against the completion ring payload_size.
>
> Fixes: 8a06127602de ("Bluetooth: hci_bcm4377: Add new driver for BCM4377 PCIe boards")
> Cc: stable@vger.kernel.org
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
> ---
> drivers/bluetooth/hci_bcm4377.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/bluetooth/hci_bcm4377.c b/drivers/bluetooth/hci_bcm4377.c
> index 925d0a635..5d2f594c2 100644
> --- a/drivers/bluetooth/hci_bcm4377.c
> +++ b/drivers/bluetooth/hci_bcm4377.c
> @@ -755,6 +755,13 @@ static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
> msg_id = le16_to_cpu(entry->msg_id);
> transfer_ring = le16_to_cpu(entry->ring_id);
>
> + if (data_len > ring->payload_size) {
> + dev_warn(&bcm4377->pdev->dev,
> + "event data len %zu exceeds payload size %zu for ring %d\n",
> + data_len, ring->payload_size, ring->ring_id);
> + return;
> + }
> +
> if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
> dev_warn(
> &bcm4377->pdev->dev,
> --
> 2.47.3
>
>
Seems sensible enough.
Reviewed-by: Neal Gompa <neal@gompa.dev>
--
真実はいつも一つ!/ Always, there's only one truth!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-17 12:56 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
2026-04-17 12:08 ` [v3] " bluez.test.bot
2026-04-17 12:55 ` [PATCH v3] " Neal Gompa
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox