[PATCH 0/2] Bluetooth: btmtk: WMT event length validation (CVE-2026-46140)

Linux bluetooth development
 help / color / mirror / Atom feed

* [PATCH 0/2] Bluetooth: btmtk: WMT event length validation (CVE-2026-46140) - 6.6.y backport
@ 2026-06-26 10:46 Siva Balasubramanian
  2026-06-26 10:46 ` [PATCH 1/2] Bluetooth: btmtk: validate WMT event SKB length before struct access Siva Balasubramanian
  2026-06-26 10:46 ` [PATCH 2/2] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events Siva Balasubramanian
  0 siblings, 2 replies; 4+ messages in thread
From: Siva Balasubramanian @ 2026-06-26 10:46 UTC (permalink / raw)
  To: stable; +Cc: tristan, pav, luiz.von.dentz, linux-bluetooth,
	Siva Balasubramanian

Please consider the following two upstream commits for 6.6.y. They are
present in 6.12.y but missing from 6.6.y (latest checked: v6.6.143),
which contains the offending commit d019930b0049 ("Bluetooth: btmtk:
move btusb_mtk_hci_wmt_sync to btmtk.c") and is therefore affected.

  634a4408c061 ("Bluetooth: btmtk: validate WMT event SKB length before
                 struct access")  -- CVE-2026-46140, tagged Cc: stable
  e3ac0d9f1a20 ("Bluetooth: btmtk: accept too short WMT FUNC_CTRL
                 events")         -- Fixes the above; regression fix for
                 real MT7925/MT7922 hardware. Both are needed together.

The first patch fixes an out-of-bounds read: btmtk_usb_hci_wmt_sync()
casts the WMT event response SKB data into struct btmtk_hci_wmt_evt /
struct btmtk_hci_wmt_evt_funcc without checking the SKB length first.
The second patch is the required follow-up: the strict length check
breaks devices that legitimately send a shorter FUNC_CTRL event, so it
must accompany the first.

Both cherry-pick cleanly onto linux-6.6.y at v6.6.143 with no conflicts;
skb_pull_data() is available in 6.6.y. Compile-tested only
(CC [M] drivers/bluetooth/btmtk.o) - no affected hardware available.

Pauli Virtanen (1):
  Bluetooth: btmtk: accept too short WMT FUNC_CTRL events

Tristan Madani (1):
  Bluetooth: btmtk: validate WMT event SKB length before struct access

 drivers/bluetooth/btmtk.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

--
2.34.1

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 1/2] Bluetooth: btmtk: validate WMT event SKB length before struct access
  2026-06-26 10:46 [PATCH 0/2] Bluetooth: btmtk: WMT event length validation (CVE-2026-46140) - 6.6.y backport Siva Balasubramanian
@ 2026-06-26 10:46 ` Siva Balasubramanian
  2026-06-26 13:14   ` Bluetooth: btmtk: WMT event length validation (CVE-2026-46140) - 6.6.y backport bluez.test.bot
  2026-06-26 10:46 ` [PATCH 2/2] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events Siva Balasubramanian
  1 sibling, 1 reply; 4+ messages in thread
From: Siva Balasubramanian @ 2026-06-26 10:46 UTC (permalink / raw)
  To: stable
  Cc: tristan, pav, luiz.von.dentz, linux-bluetooth, Greg Kroah-Hartman,
	Siva Balasubramanian

From: Tristan Madani <tristan@talencesecurity.com>

commit 634a4408c0615c523cf7531790f4f14a422b9206 upstream.

btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to
struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc
(9 bytes) without first checking that the SKB contains enough data.
A short firmware response causes out-of-bounds reads from SKB tailroom.

Use skb_pull_data() to validate and advance past the base WMT event
header. For the FUNC_CTRL case, pull the additional status field bytes
before accessing them.

Fixes: d019930b0049 ("Bluetooth: btmtk: move btusb_mtk_hci_wmt_sync to btmtk.c")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 634a4408c0615c523cf7531790f4f14a422b9206)
Signed-off-by: Siva Balasubramanian <sivakumar.bs@gmail.com>
---
 drivers/bluetooth/btmtk.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index ad8753dda826..5c6f4d4b2e7f 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -655,8 +655,13 @@ int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
 	if (data->evt_skb == NULL)
 		goto err_free_wc;
 
-	/* Parse and handle the return WMT event */
-	wmt_evt = (struct btmtk_hci_wmt_evt *)data->evt_skb->data;
+	wmt_evt = skb_pull_data(data->evt_skb, sizeof(*wmt_evt));
+	if (!wmt_evt) {
+		bt_dev_err(hdev, "WMT event too short (%u bytes)",
+			   data->evt_skb->len);
+		err = -EINVAL;
+		goto err_free_skb;
+	}
 	if (wmt_evt->whdr.op != hdr->op) {
 		bt_dev_err(hdev, "Wrong op received %d expected %d",
 			   wmt_evt->whdr.op, hdr->op);
@@ -672,6 +677,12 @@ int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
 			status = BTMTK_WMT_PATCH_DONE;
 		break;
 	case BTMTK_WMT_FUNC_CTRL:
+		if (!skb_pull_data(data->evt_skb,
+				   sizeof(wmt_evt_funcc->status))) {
+			err = -EINVAL;
+			goto err_free_skb;
+		}
+
 		wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
 		if (be16_to_cpu(wmt_evt_funcc->status) == 0x404)
 			status = BTMTK_WMT_ON_DONE;
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
  2026-06-26 10:46 [PATCH 0/2] Bluetooth: btmtk: WMT event length validation (CVE-2026-46140) - 6.6.y backport Siva Balasubramanian
  2026-06-26 10:46 ` [PATCH 1/2] Bluetooth: btmtk: validate WMT event SKB length before struct access Siva Balasubramanian
@ 2026-06-26 10:46 ` Siva Balasubramanian
  1 sibling, 0 replies; 4+ messages in thread
From: Siva Balasubramanian @ 2026-06-26 10:46 UTC (permalink / raw)
  To: stable
  Cc: tristan, pav, luiz.von.dentz, linux-bluetooth, Mikhail Gavrilov,
	Greg Kroah-Hartman, Siva Balasubramanian

From: Pauli Virtanen <pav@iki.fi>

commit e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b upstream.

MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
FUNC_CTRL events that are missing the status field.

Prior to commit 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB
length before struct access") the status was read from out-of-bounds of
SKB data, which usually would result to success with
BTMTK_WMT_ON_UNDONE, although I don't know the intent here.  The bounds
check added in that commit returns with error instead, producing
"Bluetooth: hci0: Failed to send wmt func ctrl (-22)" and makes the
device unusable.

Fix the regression by interpreting too short packet as status
BTMTK_WMT_ON_UNDONE, which makes the device work normally again.

Fixes: 634a4408c061 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> # MT7922 (0489:e0e2)
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b)
Signed-off-by: Siva Balasubramanian <sivakumar.bs@gmail.com>
---
 drivers/bluetooth/btmtk.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index 5c6f4d4b2e7f..582915f9a8d7 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -679,8 +679,8 @@ int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
 	case BTMTK_WMT_FUNC_CTRL:
 		if (!skb_pull_data(data->evt_skb,
 				   sizeof(wmt_evt_funcc->status))) {
-			err = -EINVAL;
-			goto err_free_skb;
+			status = BTMTK_WMT_ON_UNDONE;
+			break;
 		}
 
 		wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* RE: Bluetooth: btmtk: WMT event length validation (CVE-2026-46140) - 6.6.y backport
  2026-06-26 10:46 ` [PATCH 1/2] Bluetooth: btmtk: validate WMT event SKB length before struct access Siva Balasubramanian
@ 2026-06-26 13:14   ` bluez.test.bot
  0 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-06-26 13:14 UTC (permalink / raw)
  To: linux-bluetooth, sivakumar.bs

[-- Attachment #1: Type: text/plain, Size: 552 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: drivers/bluetooth/btmtk.c:655
error: drivers/bluetooth/btmtk.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-06-26 13:14 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-26 10:46 [PATCH 0/2] Bluetooth: btmtk: WMT event length validation (CVE-2026-46140) - 6.6.y backport Siva Balasubramanian
2026-06-26 10:46 ` [PATCH 1/2] Bluetooth: btmtk: validate WMT event SKB length before struct access Siva Balasubramanian
2026-06-26 13:14   ` Bluetooth: btmtk: WMT event length validation (CVE-2026-46140) - 6.6.y backport bluez.test.bot
2026-06-26 10:46 ` [PATCH 2/2] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events Siva Balasubramanian

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox