* [PATCH] Bluetooth: MGMT: validate Add Extended Advertising Data length
@ 2026-05-15 14:38 Michael Bommarito
2026-05-15 15:46 ` bluez.test.bot
0 siblings, 1 reply; 2+ messages in thread
From: Michael Bommarito @ 2026-05-15 14:38 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz
Cc: Daniel Winkler, linux-bluetooth, linux-kernel
MGMT_OP_ADD_EXT_ADV_DATA is registered as a variable-length command,
with MGMT_ADD_EXT_ADV_DATA_SIZE as the fixed header size. The handler
then uses cp->adv_data_len and cp->scan_rsp_len to validate and copy
cp->data, but it never checks that those bytes are part of the mgmt
command payload.
A short command can therefore make add_ext_adv_data() pass an
out-of-bounds pointer into tlv_data_is_valid(). If the bytes beyond
the command buffer are addressable, they can also be copied into the
advertising instance as scan response data, where the caller can read
them back via MGMT_OP_GET_ADV_INSTANCE. The trigger requires
CAP_NET_ADMIN in the initial user namespace; KASAN reports an 8-byte
slab-out-of-bounds read.
Reject commands whose length does not match the fixed header plus both
advertising data lengths before parsing cp->data.
Fixes: 12410572833a ("Bluetooth: Break add adv into two mgmt commands")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
net/bluetooth/mgmt.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index b05bb380e5f8..de5bd6b637b2 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -9110,9 +9110,15 @@ static int add_ext_adv_data(struct sock *sk, struct hci_dev *hdev, void *data,
struct adv_info *adv_instance;
int err = 0;
struct mgmt_pending_cmd *cmd;
+ u16 expected_len;
BT_DBG("%s", hdev->name);
+ expected_len = struct_size(cp, data, cp->adv_data_len + cp->scan_rsp_len);
+ if (expected_len != data_len)
+ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
+ MGMT_STATUS_INVALID_PARAMS);
+
hci_dev_lock(hdev);
adv_instance = hci_find_adv_instance(hdev, cp->instance);
--
2.53.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* RE: Bluetooth: MGMT: validate Add Extended Advertising Data length
2026-05-15 14:38 [PATCH] Bluetooth: MGMT: validate Add Extended Advertising Data length Michael Bommarito
@ 2026-05-15 15:46 ` bluez.test.bot
0 siblings, 0 replies; 2+ messages in thread
From: bluez.test.bot @ 2026-05-15 15:46 UTC (permalink / raw)
To: linux-bluetooth, michael.bommarito
[-- Attachment #1: Type: text/plain, Size: 992 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1095484
---Test result---
Test Summary:
CheckPatch PASS 0.53 seconds
GitLint PASS 0.22 seconds
SubjectPrefix PASS 0.08 seconds
BuildKernel PASS 24.24 seconds
CheckAllWarning PASS 26.60 seconds
CheckSparse PASS 25.46 seconds
BuildKernel32 PASS 23.27 seconds
TestRunnerSetup PASS 519.32 seconds
TestRunner_mgmt-tester PASS 2022.40 seconds
TestRunner_mesh-tester PASS 59.05 seconds
IncrementalBuild PASS 22.61 seconds
https://github.com/bluez/bluetooth-next/pull/197
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-15 15:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-15 14:38 [PATCH] Bluetooth: MGMT: validate Add Extended Advertising Data length Michael Bommarito
2026-05-15 15:46 ` bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox