The Linux Kernel Mailing List
 help / color / mirror / Atom feed
* [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y
@ 2026-07-02 14:42 Jeremy Erazo
  2026-07-02 14:42 ` [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Jeremy Erazo @ 2026-07-02 14:42 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, Sasha Levin, Luiz Augusto von Dentz,
	Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
	linux-bluetooth, linux-kernel, Jeremy Erazo

Hi Greg, Sasha, Luiz,

Following the guidance Greg gave on my earlier report to security@kernel.org
(subject: "Bluetooth ISO: unbounded memcpy in iso_connect_ind still in stable
LTS", 2026-07-02) - that this is a stable backport miss rather than a new
security bug - here are the two backports.

Root cause: upstream commit f4da3ee15de99e ("Bluetooth: ISO: Copy BASE if
service data matches EIR_BAA_SERVICE_UUID", 2023-09-28, mainline v6.7)
addressed the OOB write in iso_connect_ind() but landed without a Fixes: tag,
so the stable autoselect bot never picked it up. linux-6.6.y (v6.6.143) and
linux-6.1.y (v6.1.176) both still ship the pre-fix code where ev3->length,
a __u8 in [0, 255], drives memcpy() directly into iso_pi(sk)->base[248].
Values in [249, 255] overflow 1 to 7 bytes into adjacent fields of struct
iso_pinfo, including the low bytes of iso_pi(sk)->conn.  FORTIFY_SOURCE
flags the write but does not block it.

Affected branch matrix (as of today, 2026-07-02):

  * linux-6.6.y  (v6.6.143)  vulnerable  - patch 1/2
  * linux-6.1.y  (v6.1.176)  vulnerable  - patch 2/2
  * linux-5.15.y            NOT affected  - iso_connect_ind PA-report handling
                                            was introduced by commit 9c0826310bfb
                                            in v6.5, after 5.15.y branched.
                                            My earlier email to security@kernel.org
                                            listed 5.15.y in error; please disregard.

Both patches are straight backports of f4da3ee15de99e:

  * 1/2 (6.6.y): applies cleanly.  eir_get_service_data(),
    EIR_BAA_SERVICE_UUID, and the eir.h include are already present in the
    tree, so this is a plain "git apply" of the upstream diff on iso.c.

  * 2/2 (6.1.y): needs a small mechanical adjustment - iso.c in 6.1.y does
    not #include "eir.h" and does not define EIR_BAA_SERVICE_UUID; both are
    added here to match the upstream commit.  eir_get_service_data() itself
    is already declared in net/bluetooth/eir.h on 6.1.y, so no other files
    are touched.  The put_user() correction that upstream f4da3ee15de99e
    also folded into iso_sock_getsockopt() is intentionally omitted; that
    hunk is an unrelated getsockopt correctness fix and dropping it keeps
    the backport minimal and focused on the OOB write.

Reachability of the underlying bug: any host with an ISO listening socket
bound as a broadcast sink (LE Audio / Auracast use case).  No pairing
required, single HCI_EV_LE_PER_ADV_REPORT event within BLE radio range.

Build verification: net/bluetooth/iso.o builds cleanly in both trees with
BT + BT_LE + BT_HCIVHCI enabled on x86_64 defconfig.  No new checkpatch
errors; the two warnings reported are "unknown commit id" (shallow clone)
and one long line in the backport-note paragraph.

I did not include a reproducer or PoC in this series because the fix is
the one Luiz/Claudia already landed upstream and there is no dispute about
the OOB write - the point of the series is only to carry the same fix into
the two LTS branches that missed it.  A userspace reproducer against
/dev/vhci exists locally and is available on request if the maintainers
want to confirm on their side.

Jeremy Erazo (2):
  Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
  Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID

 net/bluetooth/iso.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

--
2.47.3


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
  2026-07-02 14:42 [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Jeremy Erazo
@ 2026-07-02 14:42 ` Jeremy Erazo
  2026-07-02 14:42 ` [PATCH 2/2 6.1.y] " Jeremy Erazo
  2026-07-04  2:04 ` [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Sasha Levin
  2 siblings, 0 replies; 4+ messages in thread
From: Jeremy Erazo @ 2026-07-02 14:42 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, Sasha Levin, Luiz Augusto von Dentz,
	Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
	linux-bluetooth, linux-kernel, Jeremy Erazo

commit f4da3ee15de99efa0a68eae1c4d09b4bcc6d9dcd upstream.

Copy the content of a Periodic Advertisement Report to BASE only if
the service UUID is Basic Audio Announcement Service UUID.

[Stable backport rationale]

This fix landed in mainline v6.7 without a Fixes: tag, so the stable
autoselect bot never picked it up.  linux-6.6.y HEAD (v6.6.143) still
carries the pre-fix code at net/bluetooth/iso.c:1935:

	if (sk) {
		memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
		iso_pi(sk)->base_len = ev3->length;
	}

ev3->length is __u8 and iso_pi(sk)->base is __u8[BASE_MAX_LENGTH] where
BASE_MAX_LENGTH is HCI_MAX_PER_AD_LENGTH(252) - EIR_SERVICE_DATA_LENGTH(4)
= 248.  When an attacker within BLE radio range sends an HCI_EV_LE_PER_ADV_REPORT
with ev3->length in [249, 255], the memcpy writes 1 to 7 bytes past the
buffer into the trailing fields of struct iso_pinfo, including the low
bytes of the iso_pi(sk)->conn pointer.  FORTIFY_SOURCE flags the write
with "memcpy: detected field-spanning write" but does not block it.

The upstream refactor addresses this by:
  1. Filtering via eir_get_service_data() so only the BASE portion of
     the PA payload is copied.
  2. Bounding the copy with base_len <= sizeof(iso_pi(sk)->base).

The refactor applies cleanly against v6.6.143 - eir_get_service_data(),
EIR_BAA_SERVICE_UUID, and BASE_MAX_LENGTH already exist in the 6.6.y
tree.

Reachability: any host with an ISO listening socket bound as a
broadcast sink (LE Audio / Auracast).  No pairing required.

Fixes: 9c0826310bfb ("Bluetooth: ISO: Add support for periodic adv reports processing")
Cc: stable@vger.kernel.org # 6.6.y
Signed-off-by: Claudia Draghicescu <claudia.rosu@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[jerazo: backport to 6.6.y, no context conflicts]
Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
---
 net/bluetooth/iso.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 011b2187b..8843bd5c5 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -14,6 +14,7 @@
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
 #include <net/bluetooth/iso.h>
+#include "eir.h"
 
 static const struct proto_ops iso_sock_ops;
 
@@ -47,6 +48,7 @@ static void iso_sock_kill(struct sock *sk);
 
 #define EIR_SERVICE_DATA_LENGTH 4
 #define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
+#define EIR_BAA_SERVICE_UUID	0x1851
 
 /* iso_pinfo flags values */
 enum {
@@ -1587,6 +1589,8 @@ static int iso_sock_getsockopt(struct socket *sock, int level, int optname,
 		len = min_t(unsigned int, len, base_len);
 		if (copy_to_user(optval, base, len))
 			err = -EFAULT;
+		if (put_user(len, optlen))
+			err = -EFAULT;
 
 		break;
 
@@ -1928,12 +1932,16 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
 
 	ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
 	if (ev3) {
+		size_t base_len = ev3->length;
+		u8 *base;
+
 		sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
 					 iso_match_sync_handle_pa_report, ev3);
-
-		if (sk) {
-			memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
-			iso_pi(sk)->base_len = ev3->length;
+		base = eir_get_service_data(ev3->data, ev3->length,
+					    EIR_BAA_SERVICE_UUID, &base_len);
+		if (base && sk && base_len <= sizeof(iso_pi(sk)->base)) {
+			memcpy(iso_pi(sk)->base, base, base_len);
+			iso_pi(sk)->base_len = base_len;
 		}
 	} else {
 		sk = iso_get_sock_listen(&hdev->bdaddr, BDADDR_ANY, NULL, NULL);
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2 6.1.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
  2026-07-02 14:42 [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Jeremy Erazo
  2026-07-02 14:42 ` [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
@ 2026-07-02 14:42 ` Jeremy Erazo
  2026-07-04  2:04 ` [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Sasha Levin
  2 siblings, 0 replies; 4+ messages in thread
From: Jeremy Erazo @ 2026-07-02 14:42 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, Sasha Levin, Luiz Augusto von Dentz,
	Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
	linux-bluetooth, linux-kernel, Jeremy Erazo

commit f4da3ee15de99efa0a68eae1c4d09b4bcc6d9dcd upstream.

Copy the content of a Periodic Advertisement Report to BASE only if
the service UUID is Basic Audio Announcement Service UUID.

[Stable backport rationale]

This fix landed in mainline v6.7 without a Fixes: tag, so the stable
autoselect bot never picked it up.  linux-6.1.y HEAD (v6.1.176) still
carries the pre-fix code at net/bluetooth/iso.c:1613:

	if (sk) {
		memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
		iso_pi(sk)->base_len = ev3->length;
	}

ev3->length is __u8 and iso_pi(sk)->base is __u8[BASE_MAX_LENGTH] where
BASE_MAX_LENGTH is HCI_MAX_PER_AD_LENGTH(252) - EIR_SERVICE_DATA_LENGTH(4)
= 248.  When an attacker within BLE radio range sends an HCI_EV_LE_PER_ADV_REPORT
with ev3->length in [249, 255], the memcpy writes 1 to 7 bytes past the
buffer into the trailing fields of struct iso_pinfo, including the low
bytes of the iso_pi(sk)->conn pointer.  FORTIFY_SOURCE flags the write
with "memcpy: detected field-spanning write" but does not block it.

The upstream refactor addresses this by:
  1. Filtering via eir_get_service_data() so only the BASE portion of
     the PA payload is copied.
  2. Bounding the copy with base_len <= sizeof(iso_pi(sk)->base).

Backport notes for 6.1.y:
  * eir_get_service_data() is already declared in net/bluetooth/eir.h.
  * The header include for eir.h and the EIR_BAA_SERVICE_UUID define
    are added here, matching the upstream commit.
  * The put_user() addition in iso_sock_getsockopt() that was part of
    the same upstream commit is not included; that hunk is a separate
    getsockopt correctness fix and is not required for the OOB write
    fix (getsockopt(BT_ISO_BASE) is a controlled path that already
    validates optlen against sizeof(iso_pi(sk)->base)).  Applying the
    getsockopt hunk here would risk a user-visible ABI change on a
    stable branch.

Reachability: any host with an ISO listening socket bound as a
broadcast sink (LE Audio / Auracast).  No pairing required.

Fixes: 9c0826310bfb ("Bluetooth: ISO: Add support for periodic adv reports processing")
Cc: stable@vger.kernel.org # 6.1.y
Signed-off-by: Claudia Draghicescu <claudia.rosu@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[jerazo: backport to 6.1.y; add #include "eir.h" and EIR_BAA_SERVICE_UUID define; drop unrelated getsockopt hunk]
Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
---
 net/bluetooth/iso.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 7ea3e6335..6b8622bec 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -14,6 +14,8 @@
 #include <net/bluetooth/hci_core.h>
 #include <net/bluetooth/iso.h>
 
+#include "eir.h"
+
 static const struct proto_ops iso_sock_ops;
 
 static struct bt_sock_list iso_sk_list = {
@@ -46,6 +48,7 @@ static void iso_sock_kill(struct sock *sk);
 
 #define EIR_SERVICE_DATA_LENGTH 4
 #define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
+#define EIR_BAA_SERVICE_UUID	0x1851
 
 struct iso_pinfo {
 	struct bt_sock		bt;
@@ -1606,12 +1609,16 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
 
 	ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
 	if (ev3) {
+		size_t base_len = ev3->length;
+		u8 *base;
+
 		sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
 					 iso_match_sync_handle_pa_report, ev3);
-
-		if (sk) {
-			memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
-			iso_pi(sk)->base_len = ev3->length;
+		base = eir_get_service_data(ev3->data, ev3->length,
+					    EIR_BAA_SERVICE_UUID, &base_len);
+		if (base && sk && base_len <= sizeof(iso_pi(sk)->base)) {
+			memcpy(iso_pi(sk)->base, base, base_len);
+			iso_pi(sk)->base_len = base_len;
 		}
 	} else {
 		sk = iso_get_sock_listen(&hdev->bdaddr, BDADDR_ANY, NULL, NULL);
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y
  2026-07-02 14:42 [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Jeremy Erazo
  2026-07-02 14:42 ` [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
  2026-07-02 14:42 ` [PATCH 2/2 6.1.y] " Jeremy Erazo
@ 2026-07-04  2:04 ` Sasha Levin
  2 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2026-07-04  2:04 UTC (permalink / raw)
  To: stable
  Cc: Sasha Levin, Greg Kroah-Hartman, Luiz Augusto von Dentz,
	Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
	linux-bluetooth, linux-kernel, Jeremy Erazo

On Thu, Jul 02, 2026 at 02:42:05PM +0000, Jeremy Erazo wrote:
> Root cause: upstream commit f4da3ee15de99e ("Bluetooth: ISO: Copy BASE if
> service data matches EIR_BAA_SERVICE_UUID", 2023-09-28, mainline v6.7)
> addressed the OOB write in iso_connect_ind() but landed without a Fixes: tag,
> so the stable autoselect bot never picked it up.

The upstream SHA referenced here and in the "commit
f4da3ee15de99efa0a68eae1c4d09b4bcc6d9dcd upstream." line of both patches
does not exist...

-- 
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-07-04  2:05 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 14:42 [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Jeremy Erazo
2026-07-02 14:42 ` [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
2026-07-02 14:42 ` [PATCH 2/2 6.1.y] " Jeremy Erazo
2026-07-04  2:04 ` [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox