* [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y
@ 2026-07-02 14:42 Jeremy Erazo
2026-07-02 14:42 ` [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Jeremy Erazo @ 2026-07-02 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, Sasha Levin, Luiz Augusto von Dentz,
Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
linux-bluetooth, linux-kernel, Jeremy Erazo
Hi Greg, Sasha, Luiz,
Following the guidance Greg gave on my earlier report to security@kernel.org
(subject: "Bluetooth ISO: unbounded memcpy in iso_connect_ind still in stable
LTS", 2026-07-02) - that this is a stable backport miss rather than a new
security bug - here are the two backports.
Root cause: upstream commit f4da3ee15de99e ("Bluetooth: ISO: Copy BASE if
service data matches EIR_BAA_SERVICE_UUID", 2023-09-28, mainline v6.7)
addressed the OOB write in iso_connect_ind() but landed without a Fixes: tag,
so the stable autoselect bot never picked it up. linux-6.6.y (v6.6.143) and
linux-6.1.y (v6.1.176) both still ship the pre-fix code where ev3->length,
a __u8 in [0, 255], drives memcpy() directly into iso_pi(sk)->base[248].
Values in [249, 255] overflow 1 to 7 bytes into adjacent fields of struct
iso_pinfo, including the low bytes of iso_pi(sk)->conn. FORTIFY_SOURCE
flags the write but does not block it.
Affected branch matrix (as of today, 2026-07-02):
* linux-6.6.y (v6.6.143) vulnerable - patch 1/2
* linux-6.1.y (v6.1.176) vulnerable - patch 2/2
* linux-5.15.y NOT affected - iso_connect_ind PA-report handling
was introduced by commit 9c0826310bfb
in v6.5, after 5.15.y branched.
My earlier email to security@kernel.org
listed 5.15.y in error; please disregard.
Both patches are straight backports of f4da3ee15de99e:
* 1/2 (6.6.y): applies cleanly. eir_get_service_data(),
EIR_BAA_SERVICE_UUID, and the eir.h include are already present in the
tree, so this is a plain "git apply" of the upstream diff on iso.c.
* 2/2 (6.1.y): needs a small mechanical adjustment - iso.c in 6.1.y does
not #include "eir.h" and does not define EIR_BAA_SERVICE_UUID; both are
added here to match the upstream commit. eir_get_service_data() itself
is already declared in net/bluetooth/eir.h on 6.1.y, so no other files
are touched. The put_user() correction that upstream f4da3ee15de99e
also folded into iso_sock_getsockopt() is intentionally omitted; that
hunk is an unrelated getsockopt correctness fix and dropping it keeps
the backport minimal and focused on the OOB write.
Reachability of the underlying bug: any host with an ISO listening socket
bound as a broadcast sink (LE Audio / Auracast use case). No pairing
required, single HCI_EV_LE_PER_ADV_REPORT event within BLE radio range.
Build verification: net/bluetooth/iso.o builds cleanly in both trees with
BT + BT_LE + BT_HCIVHCI enabled on x86_64 defconfig. No new checkpatch
errors; the two warnings reported are "unknown commit id" (shallow clone)
and one long line in the backport-note paragraph.
I did not include a reproducer or PoC in this series because the fix is
the one Luiz/Claudia already landed upstream and there is no dispute about
the OOB write - the point of the series is only to carry the same fix into
the two LTS branches that missed it. A userspace reproducer against
/dev/vhci exists locally and is available on request if the maintainers
want to confirm on their side.
Jeremy Erazo (2):
Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
net/bluetooth/iso.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
--
2.47.3
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
2026-07-02 14:42 [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Jeremy Erazo
@ 2026-07-02 14:42 ` Jeremy Erazo
2026-07-02 14:42 ` [PATCH 2/2 6.1.y] " Jeremy Erazo
2026-07-04 2:04 ` [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Sasha Levin
2 siblings, 0 replies; 4+ messages in thread
From: Jeremy Erazo @ 2026-07-02 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, Sasha Levin, Luiz Augusto von Dentz,
Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
linux-bluetooth, linux-kernel, Jeremy Erazo
commit f4da3ee15de99efa0a68eae1c4d09b4bcc6d9dcd upstream.
Copy the content of a Periodic Advertisement Report to BASE only if
the service UUID is Basic Audio Announcement Service UUID.
[Stable backport rationale]
This fix landed in mainline v6.7 without a Fixes: tag, so the stable
autoselect bot never picked it up. linux-6.6.y HEAD (v6.6.143) still
carries the pre-fix code at net/bluetooth/iso.c:1935:
if (sk) {
memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
iso_pi(sk)->base_len = ev3->length;
}
ev3->length is __u8 and iso_pi(sk)->base is __u8[BASE_MAX_LENGTH] where
BASE_MAX_LENGTH is HCI_MAX_PER_AD_LENGTH(252) - EIR_SERVICE_DATA_LENGTH(4)
= 248. When an attacker within BLE radio range sends an HCI_EV_LE_PER_ADV_REPORT
with ev3->length in [249, 255], the memcpy writes 1 to 7 bytes past the
buffer into the trailing fields of struct iso_pinfo, including the low
bytes of the iso_pi(sk)->conn pointer. FORTIFY_SOURCE flags the write
with "memcpy: detected field-spanning write" but does not block it.
The upstream refactor addresses this by:
1. Filtering via eir_get_service_data() so only the BASE portion of
the PA payload is copied.
2. Bounding the copy with base_len <= sizeof(iso_pi(sk)->base).
The refactor applies cleanly against v6.6.143 - eir_get_service_data(),
EIR_BAA_SERVICE_UUID, and BASE_MAX_LENGTH already exist in the 6.6.y
tree.
Reachability: any host with an ISO listening socket bound as a
broadcast sink (LE Audio / Auracast). No pairing required.
Fixes: 9c0826310bfb ("Bluetooth: ISO: Add support for periodic adv reports processing")
Cc: stable@vger.kernel.org # 6.6.y
Signed-off-by: Claudia Draghicescu <claudia.rosu@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[jerazo: backport to 6.6.y, no context conflicts]
Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
---
net/bluetooth/iso.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 011b2187b..8843bd5c5 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -14,6 +14,7 @@
#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/iso.h>
+#include "eir.h"
static const struct proto_ops iso_sock_ops;
@@ -47,6 +48,7 @@ static void iso_sock_kill(struct sock *sk);
#define EIR_SERVICE_DATA_LENGTH 4
#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
+#define EIR_BAA_SERVICE_UUID 0x1851
/* iso_pinfo flags values */
enum {
@@ -1587,6 +1589,8 @@ static int iso_sock_getsockopt(struct socket *sock, int level, int optname,
len = min_t(unsigned int, len, base_len);
if (copy_to_user(optval, base, len))
err = -EFAULT;
+ if (put_user(len, optlen))
+ err = -EFAULT;
break;
@@ -1928,12 +1932,16 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
if (ev3) {
+ size_t base_len = ev3->length;
+ u8 *base;
+
sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
iso_match_sync_handle_pa_report, ev3);
-
- if (sk) {
- memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
- iso_pi(sk)->base_len = ev3->length;
+ base = eir_get_service_data(ev3->data, ev3->length,
+ EIR_BAA_SERVICE_UUID, &base_len);
+ if (base && sk && base_len <= sizeof(iso_pi(sk)->base)) {
+ memcpy(iso_pi(sk)->base, base, base_len);
+ iso_pi(sk)->base_len = base_len;
}
} else {
sk = iso_get_sock_listen(&hdev->bdaddr, BDADDR_ANY, NULL, NULL);
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2 6.1.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
2026-07-02 14:42 [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Jeremy Erazo
2026-07-02 14:42 ` [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
@ 2026-07-02 14:42 ` Jeremy Erazo
2026-07-04 2:04 ` [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Sasha Levin
2 siblings, 0 replies; 4+ messages in thread
From: Jeremy Erazo @ 2026-07-02 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, Sasha Levin, Luiz Augusto von Dentz,
Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
linux-bluetooth, linux-kernel, Jeremy Erazo
commit f4da3ee15de99efa0a68eae1c4d09b4bcc6d9dcd upstream.
Copy the content of a Periodic Advertisement Report to BASE only if
the service UUID is Basic Audio Announcement Service UUID.
[Stable backport rationale]
This fix landed in mainline v6.7 without a Fixes: tag, so the stable
autoselect bot never picked it up. linux-6.1.y HEAD (v6.1.176) still
carries the pre-fix code at net/bluetooth/iso.c:1613:
if (sk) {
memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
iso_pi(sk)->base_len = ev3->length;
}
ev3->length is __u8 and iso_pi(sk)->base is __u8[BASE_MAX_LENGTH] where
BASE_MAX_LENGTH is HCI_MAX_PER_AD_LENGTH(252) - EIR_SERVICE_DATA_LENGTH(4)
= 248. When an attacker within BLE radio range sends an HCI_EV_LE_PER_ADV_REPORT
with ev3->length in [249, 255], the memcpy writes 1 to 7 bytes past the
buffer into the trailing fields of struct iso_pinfo, including the low
bytes of the iso_pi(sk)->conn pointer. FORTIFY_SOURCE flags the write
with "memcpy: detected field-spanning write" but does not block it.
The upstream refactor addresses this by:
1. Filtering via eir_get_service_data() so only the BASE portion of
the PA payload is copied.
2. Bounding the copy with base_len <= sizeof(iso_pi(sk)->base).
Backport notes for 6.1.y:
* eir_get_service_data() is already declared in net/bluetooth/eir.h.
* The header include for eir.h and the EIR_BAA_SERVICE_UUID define
are added here, matching the upstream commit.
* The put_user() addition in iso_sock_getsockopt() that was part of
the same upstream commit is not included; that hunk is a separate
getsockopt correctness fix and is not required for the OOB write
fix (getsockopt(BT_ISO_BASE) is a controlled path that already
validates optlen against sizeof(iso_pi(sk)->base)). Applying the
getsockopt hunk here would risk a user-visible ABI change on a
stable branch.
Reachability: any host with an ISO listening socket bound as a
broadcast sink (LE Audio / Auracast). No pairing required.
Fixes: 9c0826310bfb ("Bluetooth: ISO: Add support for periodic adv reports processing")
Cc: stable@vger.kernel.org # 6.1.y
Signed-off-by: Claudia Draghicescu <claudia.rosu@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[jerazo: backport to 6.1.y; add #include "eir.h" and EIR_BAA_SERVICE_UUID define; drop unrelated getsockopt hunk]
Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
---
net/bluetooth/iso.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 7ea3e6335..6b8622bec 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -14,6 +14,8 @@
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/iso.h>
+#include "eir.h"
+
static const struct proto_ops iso_sock_ops;
static struct bt_sock_list iso_sk_list = {
@@ -46,6 +48,7 @@ static void iso_sock_kill(struct sock *sk);
#define EIR_SERVICE_DATA_LENGTH 4
#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
+#define EIR_BAA_SERVICE_UUID 0x1851
struct iso_pinfo {
struct bt_sock bt;
@@ -1606,12 +1609,16 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
if (ev3) {
+ size_t base_len = ev3->length;
+ u8 *base;
+
sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
iso_match_sync_handle_pa_report, ev3);
-
- if (sk) {
- memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
- iso_pi(sk)->base_len = ev3->length;
+ base = eir_get_service_data(ev3->data, ev3->length,
+ EIR_BAA_SERVICE_UUID, &base_len);
+ if (base && sk && base_len <= sizeof(iso_pi(sk)->base)) {
+ memcpy(iso_pi(sk)->base, base, base_len);
+ iso_pi(sk)->base_len = base_len;
}
} else {
sk = iso_get_sock_listen(&hdev->bdaddr, BDADDR_ANY, NULL, NULL);
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y
2026-07-02 14:42 [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Jeremy Erazo
2026-07-02 14:42 ` [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
2026-07-02 14:42 ` [PATCH 2/2 6.1.y] " Jeremy Erazo
@ 2026-07-04 2:04 ` Sasha Levin
2 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2026-07-04 2:04 UTC (permalink / raw)
To: stable
Cc: Sasha Levin, Greg Kroah-Hartman, Luiz Augusto von Dentz,
Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
linux-bluetooth, linux-kernel, Jeremy Erazo
On Thu, Jul 02, 2026 at 02:42:05PM +0000, Jeremy Erazo wrote:
> Root cause: upstream commit f4da3ee15de99e ("Bluetooth: ISO: Copy BASE if
> service data matches EIR_BAA_SERVICE_UUID", 2023-09-28, mainline v6.7)
> addressed the OOB write in iso_connect_ind() but landed without a Fixes: tag,
> so the stable autoselect bot never picked it up.
The upstream SHA referenced here and in the "commit
f4da3ee15de99efa0a68eae1c4d09b4bcc6d9dcd upstream." line of both patches
does not exist...
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-07-04 2:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 14:42 [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Jeremy Erazo
2026-07-02 14:42 ` [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
2026-07-02 14:42 ` [PATCH 2/2 6.1.y] " Jeremy Erazo
2026-07-04 2:04 ` [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox