* [PATCH] Bluetooth: bfusb: Fix buffer over-read in rx processing loop
@ 2025-10-07 23:29 pip-izony
2025-10-08 1:56 ` [PATCH v2] " pip-izony
2025-10-08 4:58 ` [PATCH] " Greg KH
0 siblings, 2 replies; 8+ messages in thread
From: pip-izony @ 2025-10-07 23:29 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Seungjin Bae, Kyungtae Kim, Luiz Augusto von Dentz, linux-kernel,
linux-bluetooth, stable
From: Seungjin Bae <eeodqql09@gmail.com>
The bfusb_rx_complete() function parses incoming URB data in while loop.
The logic does not sufficiently validate the remaining buffer size(count)
accross loop iterations, which can lead to a buffer over-read.
For example, with 4-bytes remaining buffer, if the first iteration takes
the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
only 2-bytes remain, but the else branch is trying to access the third
byte(buf[2]). This causes an out-of-bounds read and a potential kernel panic.
This patch fixes the vulnerability by adding checks to ensure enough
data remains in the buffer before it is accessed.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
drivers/bluetooth/bfusb.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
index 8df310983bf6..f17eae6dbd7d 100644
--- a/drivers/bluetooth/bfusb.c
+++ b/drivers/bluetooth/bfusb.c
@@ -360,6 +360,10 @@ static void bfusb_rx_complete(struct urb *urb)
count -= 2;
buf += 2;
} else {
+ if (count < 3) {
+ bf_dev_err(data->hdev, "block header is too short");
+ break;
+ }
len = (buf[2] == 0) ? 256 : buf[2];
count -= 3;
buf += 3;
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v2] Bluetooth: bfusb: Fix buffer over-read in rx processing loop
2025-10-07 23:29 [PATCH] Bluetooth: bfusb: Fix buffer over-read in rx processing loop pip-izony
@ 2025-10-08 1:56 ` pip-izony
2025-10-08 3:51 ` Paul Menzel
2025-10-08 4:58 ` [PATCH] " Greg KH
1 sibling, 1 reply; 8+ messages in thread
From: pip-izony @ 2025-10-08 1:56 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Seungjin Bae, Kyungtae Kim, Luiz Augusto von Dentz, linux-kernel,
linux-bluetooth, stable
From: Seungjin Bae <eeodqql09@gmail.com>
The bfusb_rx_complete() function parses incoming URB data in while loop.
The logic does not sufficiently validate the remaining buffer size(count)
accross loop iterations, which can lead to a buffer over-read.
For example, with 4-bytes remaining buffer, if the first iteration takes
the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
only 2-bytes remain, but the else branch is trying to access the third
byte(buf[2]). This causes an out-of-bounds read and a potential kernel panic.
This patch fixes the vulnerability by adding checks to ensure enough
data remains in the buffer before it is accessed.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
v1 -> v2: Fixing the error function name
drivers/bluetooth/bfusb.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
index 8df310983bf6..45f4ec5b6860 100644
--- a/drivers/bluetooth/bfusb.c
+++ b/drivers/bluetooth/bfusb.c
@@ -360,6 +360,10 @@ static void bfusb_rx_complete(struct urb *urb)
count -= 2;
buf += 2;
} else {
+ if (count < 3) {
+ bt_dev_err(data->hdev, "block header is too short");
+ break;
+ }
len = (buf[2] == 0) ? 256 : buf[2];
count -= 3;
buf += 3;
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v2] Bluetooth: bfusb: Fix buffer over-read in rx processing loop
2025-10-08 1:56 ` [PATCH v2] " pip-izony
@ 2025-10-08 3:51 ` Paul Menzel
2025-10-09 2:57 ` [PATCH v3] " pip-izony
0 siblings, 1 reply; 8+ messages in thread
From: Paul Menzel @ 2025-10-08 3:51 UTC (permalink / raw)
To: Seungjin Bae
Cc: Marcel Holtmann, Kyungtae Kim, Luiz Augusto von Dentz,
linux-kernel, linux-bluetooth, stable
Dear Seungjin,
Thank you for the patch.
Am 08.10.25 um 03:56 schrieb pip-izony:
> From: Seungjin Bae <eeodqql09@gmail.com>
>
> The bfusb_rx_complete() function parses incoming URB data in while loop.
… in *a* while loop.
> The logic does not sufficiently validate the remaining buffer size(count)
> accross loop iterations, which can lead to a buffer over-read.
across
> For example, with 4-bytes remaining buffer, if the first iteration takes
> the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
> only 2-bytes remain, but the else branch is trying to access the third
> byte(buf[2]). This causes an out-of-bounds read and a potential kernel panic.
Please re-flow for 75 characters per line.
> This patch fixes the vulnerability by adding checks to ensure enough
> data remains in the buffer before it is accessed.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
> ---
> v1 -> v2: Fixing the error function name
>
> drivers/bluetooth/bfusb.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
> index 8df310983bf6..45f4ec5b6860 100644
> --- a/drivers/bluetooth/bfusb.c
> +++ b/drivers/bluetooth/bfusb.c
> @@ -360,6 +360,10 @@ static void bfusb_rx_complete(struct urb *urb)
> count -= 2;
> buf += 2;
> } else {
> + if (count < 3) {
> + bt_dev_err(data->hdev, "block header is too short");
Please print count and 3.
> + break;
> + }
Please use tabs for alignment. `scripts/checkpatch.pl` should have
warned about this.
> len = (buf[2] == 0) ? 256 : buf[2];
> count -= 3;
> buf += 3;
Kind regards,
Paul
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] Bluetooth: bfusb: Fix buffer over-read in rx processing loop
2025-10-07 23:29 [PATCH] Bluetooth: bfusb: Fix buffer over-read in rx processing loop pip-izony
2025-10-08 1:56 ` [PATCH v2] " pip-izony
@ 2025-10-08 4:58 ` Greg KH
1 sibling, 0 replies; 8+ messages in thread
From: Greg KH @ 2025-10-08 4:58 UTC (permalink / raw)
To: pip-izony
Cc: Marcel Holtmann, Kyungtae Kim, Luiz Augusto von Dentz,
linux-kernel, linux-bluetooth, stable
On Tue, Oct 07, 2025 at 07:29:42PM -0400, pip-izony wrote:
> From: Seungjin Bae <eeodqql09@gmail.com>
>
> The bfusb_rx_complete() function parses incoming URB data in while loop.
> The logic does not sufficiently validate the remaining buffer size(count)
> accross loop iterations, which can lead to a buffer over-read.
>
> For example, with 4-bytes remaining buffer, if the first iteration takes
> the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
> only 2-bytes remain, but the else branch is trying to access the third
> byte(buf[2]). This causes an out-of-bounds read and a potential kernel panic.
>
> This patch fixes the vulnerability by adding checks to ensure enough
> data remains in the buffer before it is accessed.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
> ---
> drivers/bluetooth/bfusb.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
> index 8df310983bf6..f17eae6dbd7d 100644
> --- a/drivers/bluetooth/bfusb.c
> +++ b/drivers/bluetooth/bfusb.c
> @@ -360,6 +360,10 @@ static void bfusb_rx_complete(struct urb *urb)
> count -= 2;
> buf += 2;
> } else {
> + if (count < 3) {
> + bf_dev_err(data->hdev, "block header is too short");
> + break;
> + }
> len = (buf[2] == 0) ? 256 : buf[2];
> count -= 3;
> buf += 3;
> --
> 2.43.0
>
>
<formletter>
This is not the correct way to submit patches for inclusion in the
stable kernel tree. Please read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.
</formletter>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v3] Bluetooth: bfusb: Fix buffer over-read in rx processing loop
2025-10-08 3:51 ` Paul Menzel
@ 2025-10-09 2:57 ` pip-izony
2025-10-09 7:01 ` Paul Menzel
0 siblings, 1 reply; 8+ messages in thread
From: pip-izony @ 2025-10-09 2:57 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Seungjin Bae, Kyungtae Kim, Luiz Augusto von Dentz, linux-kernel,
linux-bluetooth
From: Seungjin Bae <eeodqql09@gmail.com>
The bfusb_rx_complete() function parses incoming URB data in a while loop.
The logic does not sufficiently validate the remaining buffer size(count)
across loop iterations, which can lead to a buffer over-read.
For example, with 4-bytes remaining buffer, if the first iteration takes
the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
only 2-bytes remain, but the else branch is trying to access the third
byte(buf[2]). This causes an out-of-bounds read and a potential kernel
panic.
This patch fixes the vulnerability by adding checks to ensure enough
data remains in the buffer before it is accessed.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
v1 -> v2: Fixing the error function name
v2 -> v3: Addressing feedback from Paul Menzel
drivers/bluetooth/bfusb.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
index 8df310983bf6..90ca5ab2acc3 100644
--- a/drivers/bluetooth/bfusb.c
+++ b/drivers/bluetooth/bfusb.c
@@ -360,6 +360,12 @@ static void bfusb_rx_complete(struct urb *urb)
count -= 2;
buf += 2;
} else {
+ if (count < 3) {
+ bt_dev_err(data->hdev,
+ "block header is too short (count=%d, expected=3)",
+ count);
+ break;
+ }
len = (buf[2] == 0) ? 256 : buf[2];
count -= 3;
buf += 3;
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v3] Bluetooth: bfusb: Fix buffer over-read in rx processing loop
2025-10-09 2:57 ` [PATCH v3] " pip-izony
@ 2025-10-09 7:01 ` Paul Menzel
2025-10-09 16:48 ` [PATCH v4] " pip-izony
0 siblings, 1 reply; 8+ messages in thread
From: Paul Menzel @ 2025-10-09 7:01 UTC (permalink / raw)
To: Seungjin Bae
Cc: Marcel Holtmann, Kyungtae Kim, Luiz Augusto von Dentz,
linux-kernel, linux-bluetooth
Dear Seungjin,
Thank you for the patch.
Am 09.10.25 um 04:57 schrieb pip-izony:
> From: Seungjin Bae <eeodqql09@gmail.com>
>
> The bfusb_rx_complete() function parses incoming URB data in a while loop.
> The logic does not sufficiently validate the remaining buffer size(count)
> across loop iterations, which can lead to a buffer over-read.
>
> For example, with 4-bytes remaining buffer, if the first iteration takes
> the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
> only 2-bytes remain, but the else branch is trying to access the third
> byte(buf[2]). This causes an out-of-bounds read and a potential kernel
> panic.
>
> This patch fixes the vulnerability by adding checks to ensure enough
> data remains in the buffer before it is accessed.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
> ---
> v1 -> v2: Fixing the error function name
> v2 -> v3: Addressing feedback from Paul Menzel
>
> drivers/bluetooth/bfusb.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
> index 8df310983bf6..90ca5ab2acc3 100644
> --- a/drivers/bluetooth/bfusb.c
> +++ b/drivers/bluetooth/bfusb.c
> @@ -360,6 +360,12 @@ static void bfusb_rx_complete(struct urb *urb)
> count -= 2;
> buf += 2;
> } else {
> + if (count < 3) {
> + bt_dev_err(data->hdev,
> + "block header is too short (count=%d, expected=3)",
Why not: block header count %d < 3 (too short)
> + count);
> + break;
> + }
> len = (buf[2] == 0) ? 256 : buf[2];
> count -= 3;
> buf += 3;
Either way:
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Kind regards,
Paul
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v4] Bluetooth: bfusb: Fix buffer over-read in rx processing loop
2025-10-09 7:01 ` Paul Menzel
@ 2025-10-09 16:48 ` pip-izony
2025-10-09 17:14 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 8+ messages in thread
From: pip-izony @ 2025-10-09 16:48 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Seungjin Bae, Kyungtae Kim, Luiz Augusto von Dentz, linux-kernel,
linux-bluetooth
From: Seungjin Bae <eeodqql09@gmail.com>
The bfusb_rx_complete() function parses incoming URB data in a while loop.
The logic does not sufficiently validate the remaining buffer size(count)
across loop iterations, which can lead to a buffer over-read.
For example, with 4-bytes remaining buffer, if the first iteration takes
the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
only 2-bytes remain, but the else branch is trying to access the third
byte(buf[2]). This causes an out-of-bounds read and a potential kernel
panic.
This patch fixes the vulnerability by adding checks to ensure enough
data remains in the buffer before it is accessed.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
v1 -> v2: Fixing the error function name
v2 -> v3: Addressing feedback from Paul Menzel
v3 -> v4: Improving the error message for the block header count
drivers/bluetooth/bfusb.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
index 8df310983bf6..02ba16775004 100644
--- a/drivers/bluetooth/bfusb.c
+++ b/drivers/bluetooth/bfusb.c
@@ -360,6 +360,11 @@ static void bfusb_rx_complete(struct urb *urb)
count -= 2;
buf += 2;
} else {
+ if (count < 3) {
+ bt_dev_err(data->hdev, "block header count %d < 3 (too short)",
+ count);
+ break;
+ }
len = (buf[2] == 0) ? 256 : buf[2];
count -= 3;
buf += 3;
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v4] Bluetooth: bfusb: Fix buffer over-read in rx processing loop
2025-10-09 16:48 ` [PATCH v4] " pip-izony
@ 2025-10-09 17:14 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 8+ messages in thread
From: Luiz Augusto von Dentz @ 2025-10-09 17:14 UTC (permalink / raw)
To: pip-izony; +Cc: Marcel Holtmann, Kyungtae Kim, linux-kernel, linux-bluetooth
Hi Pip-Izony,
On Thu, Oct 9, 2025 at 12:51 PM pip-izony <eeodqql09@gmail.com> wrote:
>
> From: Seungjin Bae <eeodqql09@gmail.com>
>
> The bfusb_rx_complete() function parses incoming URB data in a while loop.
> The logic does not sufficiently validate the remaining buffer size(count)
> across loop iterations, which can lead to a buffer over-read.
>
> For example, with 4-bytes remaining buffer, if the first iteration takes
> the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
> only 2-bytes remain, but the else branch is trying to access the third
> byte(buf[2]). This causes an out-of-bounds read and a potential kernel
> panic.
>
> This patch fixes the vulnerability by adding checks to ensure enough
> data remains in the buffer before it is accessed.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
This is sort of useless if you ask me, this driver is never used in
practice, and even in case someone still have the only model it
handles USB_DEVICE(0x057c, 0x2200) I bet it would have been easier to
just add it to btusb since it appears to be using the standard class
as well.
> ---
> v1 -> v2: Fixing the error function name
> v2 -> v3: Addressing feedback from Paul Menzel
> v3 -> v4: Improving the error message for the block header count
>
> drivers/bluetooth/bfusb.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
> index 8df310983bf6..02ba16775004 100644
> --- a/drivers/bluetooth/bfusb.c
> +++ b/drivers/bluetooth/bfusb.c
> @@ -360,6 +360,11 @@ static void bfusb_rx_complete(struct urb *urb)
> count -= 2;
> buf += 2;
> } else {
> + if (count < 3) {
> + bt_dev_err(data->hdev, "block header count %d < 3 (too short)",
> + count);
> + break;
> + }
> len = (buf[2] == 0) ? 256 : buf[2];
> count -= 3;
> buf += 3;
> --
> 2.43.0
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2025-10-09 17:14 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-07 23:29 [PATCH] Bluetooth: bfusb: Fix buffer over-read in rx processing loop pip-izony
2025-10-08 1:56 ` [PATCH v2] " pip-izony
2025-10-08 3:51 ` Paul Menzel
2025-10-09 2:57 ` [PATCH v3] " pip-izony
2025-10-09 7:01 ` Paul Menzel
2025-10-09 16:48 ` [PATCH v4] " pip-izony
2025-10-09 17:14 ` Luiz Augusto von Dentz
2025-10-08 4:58 ` [PATCH] " Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox