* [PATCH] Bluetooth: eir: Fix OOB read in eir_get_service_data()
@ 2026-06-24 11:54 HyeongJun An
2026-06-24 14:19 ` bluez.test.bot
2026-06-24 14:32 ` [PATCH v2] " HyeongJun An
0 siblings, 2 replies; 4+ messages in thread
From: HyeongJun An @ 2026-06-24 11:54 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz
Cc: linux-bluetooth, linux-kernel, HyeongJun An, stable
eir_get_service_data() walks the advertising data looking for a Service
Data field with a matching UUID. eir_get_data() returns a pointer to the
matched field's data (field + 2) and reports dlen = field_len - 1 (the
data length only), while the field actually spans field_len + 1 = dlen + 2
bytes once its length and type bytes are counted.
On a UUID mismatch the loop advances:
eir += dlen;
eir_len -= dlen;
The pointer advance is correct, but eir_len is decremented by only dlen --
2 less than the bytes the field really spans (and less still when
eir_get_data() skipped preceding non-Service-Data fields). eir_len thus
over-counts the remaining buffer, and the error compounds across fields.
As eir_get_data() bounds its walk by this inflated eir_len, it ends up
reading the length/type bytes of a "field" past the end of the buffer.
For an ISO broadcast sink the buffer is hcon->le_per_adv_data[], filled
from the periodic-advertising reports of a remote broadcaster and parsed
by eir_get_service_data() in net/bluetooth/iso.c. A crafted PA payload
packed with mismatching Service Data fields drives the walk past the
array into adjacent struct hci_conn memory -- a remotely triggerable
out-of-bounds read; when a drifted field happens to match the BAA UUID
the out-of-bounds bytes are copied into iso_pi(sk)->base and become
readable from user space via getsockopt(BT_ISO_BASE).
Keep eir_len in sync with the pointer by recomputing it from the end of
the buffer on each iteration.
Fixes: 8f9ae5b3ae80 ("Bluetooth: eir: Add helpers for managing service data")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
---
net/bluetooth/eir.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/eir.c b/net/bluetooth/eir.c
index 1de5f9df6eec..a55696820b22 100644
--- a/net/bluetooth/eir.c
+++ b/net/bluetooth/eir.c
@@ -369,6 +369,7 @@ u8 eir_create_scan_rsp(struct hci_dev *hdev, u8 instance, u8 *ptr)
void *eir_get_service_data(u8 *eir, size_t eir_len, u16 uuid, size_t *len)
{
+ const u8 *eir_end = eir + eir_len;
size_t dlen;
while ((eir = eir_get_data(eir, eir_len, EIR_SERVICE_DATA, &dlen))) {
@@ -381,7 +382,7 @@ void *eir_get_service_data(u8 *eir, size_t eir_len, u16 uuid, size_t *len)
}
eir += dlen;
- eir_len -= dlen;
+ eir_len = eir_end - eir;
}
return NULL;
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* RE: Bluetooth: eir: Fix OOB read in eir_get_service_data()
2026-06-24 11:54 [PATCH] Bluetooth: eir: Fix OOB read in eir_get_service_data() HyeongJun An
@ 2026-06-24 14:19 ` bluez.test.bot
2026-06-24 14:32 ` [PATCH v2] " HyeongJun An
1 sibling, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-06-24 14:19 UTC (permalink / raw)
To: linux-bluetooth, sammiee5311
[-- Attachment #1: Type: text/plain, Size: 2653 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1115877
---Test result---
Test Summary:
CheckPatch PASS 1.35 seconds
VerifyFixes PASS 0.31 seconds
VerifySignedoff PASS 0.20 seconds
GitLint FAIL 0.71 seconds
SubjectPrefix PASS 0.37 seconds
BuildKernel PASS 27.00 seconds
CheckAllWarning PASS 29.24 seconds
CheckSparse PASS 27.97 seconds
BuildKernel32 PASS 25.97 seconds
CheckKernelLLVM SKIP 0.00 seconds
TestRunnerSetup PASS 574.54 seconds
TestRunner_l2cap-tester PASS 57.98 seconds
TestRunner_iso-tester PASS 78.50 seconds
TestRunner_bnep-tester PASS 18.88 seconds
TestRunner_mgmt-tester FAIL 209.96 seconds
TestRunner_rfcomm-tester PASS 25.44 seconds
TestRunner_sco-tester PASS 32.55 seconds
TestRunner_ioctl-tester PASS 25.60 seconds
TestRunner_mesh-tester FAIL 26.07 seconds
TestRunner_smp-tester PASS 22.95 seconds
TestRunner_userchan-tester PASS 19.95 seconds
TestRunner_6lowpan-tester PASS 22.94 seconds
IncrementalBuild PASS 25.85 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: eir: Fix OOB read in eir_get_service_data()
11: B3 Line contains hard tab characters (\t): " eir += dlen;"
12: B3 Line contains hard tab characters (\t): " eir_len -= dlen;"
##############################
Test: CheckKernelLLVM - SKIP
Desc: Build kernel with LLVM + context analysis
Output:
Clang not found
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.233 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.439 seconds
Mesh - Send cancel - 2 Timed out 1.991 seconds
https://github.com/bluez/bluetooth-next/pull/347
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2] Bluetooth: eir: Fix OOB read in eir_get_service_data()
2026-06-24 11:54 [PATCH] Bluetooth: eir: Fix OOB read in eir_get_service_data() HyeongJun An
2026-06-24 14:19 ` bluez.test.bot
@ 2026-06-24 14:32 ` HyeongJun An
2026-06-24 16:39 ` [v2] " bluez.test.bot
1 sibling, 1 reply; 4+ messages in thread
From: HyeongJun An @ 2026-06-24 14:32 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz
Cc: linux-bluetooth, linux-kernel, HyeongJun An, stable
eir_get_service_data() walks the advertising data looking for a Service
Data field with a matching UUID. eir_get_data() returns a pointer to the
matched field's data (field + 2) and reports dlen = field_len - 1 (the
data length only), while the field actually spans field_len + 1 = dlen + 2
bytes once its length and type bytes are counted.
On a UUID mismatch the loop advances:
eir += dlen;
eir_len -= dlen;
The pointer advance is correct, but eir_len is decremented by only dlen --
2 less than the bytes the field really spans (and less still when
eir_get_data() skipped preceding non-Service-Data fields). eir_len thus
over-counts the remaining buffer, and the error compounds across fields.
As eir_get_data() bounds its walk by this inflated eir_len, it ends up
reading the length/type bytes of a "field" past the end of the buffer.
For an ISO broadcast sink the buffer is hcon->le_per_adv_data[], filled
from the periodic-advertising reports of a remote broadcaster and parsed
by eir_get_service_data() in net/bluetooth/iso.c. A crafted PA payload
packed with mismatching Service Data fields drives the walk past the
array into adjacent struct hci_conn memory -- a remotely triggerable
out-of-bounds read; when a drifted field happens to match the BAA UUID
the out-of-bounds bytes are copied into iso_pi(sk)->base and become
readable from user space via getsockopt(BT_ISO_BASE).
Keep eir_len in sync with the pointer by recomputing it from the end of
the buffer on each iteration.
Fixes: 8f9ae5b3ae80 ("Bluetooth: eir: Add helpers for managing service data")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
---
Changes in v2:
- Untab the commit-message code snippet to satisfy the gitlint check; no
code change.
net/bluetooth/eir.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/eir.c b/net/bluetooth/eir.c
index 1de5f9df6eec..a55696820b22 100644
--- a/net/bluetooth/eir.c
+++ b/net/bluetooth/eir.c
@@ -369,6 +369,7 @@ u8 eir_create_scan_rsp(struct hci_dev *hdev, u8 instance, u8 *ptr)
void *eir_get_service_data(u8 *eir, size_t eir_len, u16 uuid, size_t *len)
{
+ const u8 *eir_end = eir + eir_len;
size_t dlen;
while ((eir = eir_get_data(eir, eir_len, EIR_SERVICE_DATA, &dlen))) {
@@ -381,7 +382,7 @@ void *eir_get_service_data(u8 *eir, size_t eir_len, u16 uuid, size_t *len)
}
eir += dlen;
- eir_len -= dlen;
+ eir_len = eir_end - eir;
}
return NULL;
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* RE: [v2] Bluetooth: eir: Fix OOB read in eir_get_service_data()
2026-06-24 14:32 ` [PATCH v2] " HyeongJun An
@ 2026-06-24 16:39 ` bluez.test.bot
0 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-06-24 16:39 UTC (permalink / raw)
To: linux-bluetooth, sammiee5311
[-- Attachment #1: Type: text/plain, Size: 2389 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1115967
---Test result---
Test Summary:
CheckPatch PASS 1.15 seconds
VerifyFixes PASS 0.34 seconds
VerifySignedoff PASS 0.34 seconds
GitLint PASS 0.54 seconds
SubjectPrefix PASS 0.80 seconds
BuildKernel PASS 26.37 seconds
CheckAllWarning PASS 28.90 seconds
CheckSparse PASS 28.03 seconds
BuildKernel32 PASS 25.68 seconds
CheckKernelLLVM SKIP 0.00 seconds
TestRunnerSetup PASS 567.29 seconds
TestRunner_l2cap-tester PASS 57.85 seconds
TestRunner_iso-tester PASS 98.51 seconds
TestRunner_bnep-tester PASS 18.83 seconds
TestRunner_mgmt-tester FAIL 214.90 seconds
TestRunner_rfcomm-tester PASS 25.00 seconds
TestRunner_sco-tester PASS 32.03 seconds
TestRunner_ioctl-tester PASS 25.36 seconds
TestRunner_mesh-tester FAIL 25.01 seconds
TestRunner_smp-tester PASS 23.05 seconds
TestRunner_userchan-tester PASS 19.97 seconds
TestRunner_6lowpan-tester PASS 22.74 seconds
IncrementalBuild PASS 25.12 seconds
Details
##############################
Test: CheckKernelLLVM - SKIP
Desc: Build kernel with LLVM + context analysis
Output:
Clang not found
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.248 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 1.986 seconds
Mesh - Send cancel - 2 Timed out 1.990 seconds
https://github.com/bluez/bluetooth-next/pull/348
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-24 16:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-24 11:54 [PATCH] Bluetooth: eir: Fix OOB read in eir_get_service_data() HyeongJun An
2026-06-24 14:19 ` bluez.test.bot
2026-06-24 14:32 ` [PATCH v2] " HyeongJun An
2026-06-24 16:39 ` [v2] " bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox