* [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
2026-07-02 14:42 [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Jeremy Erazo
@ 2026-07-02 14:42 ` Jeremy Erazo
2026-07-02 14:42 ` [PATCH 2/2 6.1.y] " Jeremy Erazo
` (2 subsequent siblings)
3 siblings, 0 replies; 9+ messages in thread
From: Jeremy Erazo @ 2026-07-02 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, Sasha Levin, Luiz Augusto von Dentz,
Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
linux-bluetooth, linux-kernel, Jeremy Erazo
commit f4da3ee15de99efa0a68eae1c4d09b4bcc6d9dcd upstream.
Copy the content of a Periodic Advertisement Report to BASE only if
the service UUID is Basic Audio Announcement Service UUID.
[Stable backport rationale]
This fix landed in mainline v6.7 without a Fixes: tag, so the stable
autoselect bot never picked it up. linux-6.6.y HEAD (v6.6.143) still
carries the pre-fix code at net/bluetooth/iso.c:1935:
if (sk) {
memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
iso_pi(sk)->base_len = ev3->length;
}
ev3->length is __u8 and iso_pi(sk)->base is __u8[BASE_MAX_LENGTH] where
BASE_MAX_LENGTH is HCI_MAX_PER_AD_LENGTH(252) - EIR_SERVICE_DATA_LENGTH(4)
= 248. When an attacker within BLE radio range sends an HCI_EV_LE_PER_ADV_REPORT
with ev3->length in [249, 255], the memcpy writes 1 to 7 bytes past the
buffer into the trailing fields of struct iso_pinfo, including the low
bytes of the iso_pi(sk)->conn pointer. FORTIFY_SOURCE flags the write
with "memcpy: detected field-spanning write" but does not block it.
The upstream refactor addresses this by:
1. Filtering via eir_get_service_data() so only the BASE portion of
the PA payload is copied.
2. Bounding the copy with base_len <= sizeof(iso_pi(sk)->base).
The refactor applies cleanly against v6.6.143 - eir_get_service_data(),
EIR_BAA_SERVICE_UUID, and BASE_MAX_LENGTH already exist in the 6.6.y
tree.
Reachability: any host with an ISO listening socket bound as a
broadcast sink (LE Audio / Auracast). No pairing required.
Fixes: 9c0826310bfb ("Bluetooth: ISO: Add support for periodic adv reports processing")
Cc: stable@vger.kernel.org # 6.6.y
Signed-off-by: Claudia Draghicescu <claudia.rosu@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[jerazo: backport to 6.6.y, no context conflicts]
Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
---
net/bluetooth/iso.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 011b2187b..8843bd5c5 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -14,6 +14,7 @@
#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/iso.h>
+#include "eir.h"
static const struct proto_ops iso_sock_ops;
@@ -47,6 +48,7 @@ static void iso_sock_kill(struct sock *sk);
#define EIR_SERVICE_DATA_LENGTH 4
#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
+#define EIR_BAA_SERVICE_UUID 0x1851
/* iso_pinfo flags values */
enum {
@@ -1587,6 +1589,8 @@ static int iso_sock_getsockopt(struct socket *sock, int level, int optname,
len = min_t(unsigned int, len, base_len);
if (copy_to_user(optval, base, len))
err = -EFAULT;
+ if (put_user(len, optlen))
+ err = -EFAULT;
break;
@@ -1928,12 +1932,16 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
if (ev3) {
+ size_t base_len = ev3->length;
+ u8 *base;
+
sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
iso_match_sync_handle_pa_report, ev3);
-
- if (sk) {
- memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
- iso_pi(sk)->base_len = ev3->length;
+ base = eir_get_service_data(ev3->data, ev3->length,
+ EIR_BAA_SERVICE_UUID, &base_len);
+ if (base && sk && base_len <= sizeof(iso_pi(sk)->base)) {
+ memcpy(iso_pi(sk)->base, base, base_len);
+ iso_pi(sk)->base_len = base_len;
}
} else {
sk = iso_get_sock_listen(&hdev->bdaddr, BDADDR_ANY, NULL, NULL);
--
2.53.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* [PATCH 2/2 6.1.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
2026-07-02 14:42 [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Jeremy Erazo
2026-07-02 14:42 ` [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
@ 2026-07-02 14:42 ` Jeremy Erazo
2026-07-04 2:04 ` [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Sasha Levin
2026-07-07 22:05 ` [PATCH v2 " Jeremy Erazo (Devel Group)
3 siblings, 0 replies; 9+ messages in thread
From: Jeremy Erazo @ 2026-07-02 14:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, Sasha Levin, Luiz Augusto von Dentz,
Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
linux-bluetooth, linux-kernel, Jeremy Erazo
commit f4da3ee15de99efa0a68eae1c4d09b4bcc6d9dcd upstream.
Copy the content of a Periodic Advertisement Report to BASE only if
the service UUID is Basic Audio Announcement Service UUID.
[Stable backport rationale]
This fix landed in mainline v6.7 without a Fixes: tag, so the stable
autoselect bot never picked it up. linux-6.1.y HEAD (v6.1.176) still
carries the pre-fix code at net/bluetooth/iso.c:1613:
if (sk) {
memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
iso_pi(sk)->base_len = ev3->length;
}
ev3->length is __u8 and iso_pi(sk)->base is __u8[BASE_MAX_LENGTH] where
BASE_MAX_LENGTH is HCI_MAX_PER_AD_LENGTH(252) - EIR_SERVICE_DATA_LENGTH(4)
= 248. When an attacker within BLE radio range sends an HCI_EV_LE_PER_ADV_REPORT
with ev3->length in [249, 255], the memcpy writes 1 to 7 bytes past the
buffer into the trailing fields of struct iso_pinfo, including the low
bytes of the iso_pi(sk)->conn pointer. FORTIFY_SOURCE flags the write
with "memcpy: detected field-spanning write" but does not block it.
The upstream refactor addresses this by:
1. Filtering via eir_get_service_data() so only the BASE portion of
the PA payload is copied.
2. Bounding the copy with base_len <= sizeof(iso_pi(sk)->base).
Backport notes for 6.1.y:
* eir_get_service_data() is already declared in net/bluetooth/eir.h.
* The header include for eir.h and the EIR_BAA_SERVICE_UUID define
are added here, matching the upstream commit.
* The put_user() addition in iso_sock_getsockopt() that was part of
the same upstream commit is not included; that hunk is a separate
getsockopt correctness fix and is not required for the OOB write
fix (getsockopt(BT_ISO_BASE) is a controlled path that already
validates optlen against sizeof(iso_pi(sk)->base)). Applying the
getsockopt hunk here would risk a user-visible ABI change on a
stable branch.
Reachability: any host with an ISO listening socket bound as a
broadcast sink (LE Audio / Auracast). No pairing required.
Fixes: 9c0826310bfb ("Bluetooth: ISO: Add support for periodic adv reports processing")
Cc: stable@vger.kernel.org # 6.1.y
Signed-off-by: Claudia Draghicescu <claudia.rosu@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[jerazo: backport to 6.1.y; add #include "eir.h" and EIR_BAA_SERVICE_UUID define; drop unrelated getsockopt hunk]
Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
---
net/bluetooth/iso.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 7ea3e6335..6b8622bec 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -14,6 +14,8 @@
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/iso.h>
+#include "eir.h"
+
static const struct proto_ops iso_sock_ops;
static struct bt_sock_list iso_sk_list = {
@@ -46,6 +48,7 @@ static void iso_sock_kill(struct sock *sk);
#define EIR_SERVICE_DATA_LENGTH 4
#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
+#define EIR_BAA_SERVICE_UUID 0x1851
struct iso_pinfo {
struct bt_sock bt;
@@ -1606,12 +1609,16 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
if (ev3) {
+ size_t base_len = ev3->length;
+ u8 *base;
+
sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
iso_match_sync_handle_pa_report, ev3);
-
- if (sk) {
- memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
- iso_pi(sk)->base_len = ev3->length;
+ base = eir_get_service_data(ev3->data, ev3->length,
+ EIR_BAA_SERVICE_UUID, &base_len);
+ if (base && sk && base_len <= sizeof(iso_pi(sk)->base)) {
+ memcpy(iso_pi(sk)->base, base, base_len);
+ iso_pi(sk)->base_len = base_len;
}
} else {
sk = iso_get_sock_listen(&hdev->bdaddr, BDADDR_ANY, NULL, NULL);
--
2.53.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y
2026-07-02 14:42 [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Jeremy Erazo
2026-07-02 14:42 ` [PATCH 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo
2026-07-02 14:42 ` [PATCH 2/2 6.1.y] " Jeremy Erazo
@ 2026-07-04 2:04 ` Sasha Levin
2026-07-07 22:05 ` [PATCH v2 " Jeremy Erazo (Devel Group)
3 siblings, 0 replies; 9+ messages in thread
From: Sasha Levin @ 2026-07-04 2:04 UTC (permalink / raw)
To: stable
Cc: Sasha Levin, Greg Kroah-Hartman, Luiz Augusto von Dentz,
Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
linux-bluetooth, linux-kernel, Jeremy Erazo
On Thu, Jul 02, 2026 at 02:42:05PM +0000, Jeremy Erazo wrote:
> Root cause: upstream commit f4da3ee15de99e ("Bluetooth: ISO: Copy BASE if
> service data matches EIR_BAA_SERVICE_UUID", 2023-09-28, mainline v6.7)
> addressed the OOB write in iso_connect_ind() but landed without a Fixes: tag,
> so the stable autoselect bot never picked it up.
The upstream SHA referenced here and in the "commit
f4da3ee15de99efa0a68eae1c4d09b4bcc6d9dcd upstream." line of both patches
does not exist...
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 9+ messages in thread* [PATCH v2 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y
2026-07-02 14:42 [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Jeremy Erazo
` (2 preceding siblings ...)
2026-07-04 2:04 ` [PATCH 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Sasha Levin
@ 2026-07-07 22:05 ` Jeremy Erazo (Devel Group)
2026-07-07 22:05 ` [PATCH v2 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo (Devel Group)
` (2 more replies)
3 siblings, 3 replies; 9+ messages in thread
From: Jeremy Erazo (Devel Group) @ 2026-07-07 22:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, Sasha Levin, Luiz Augusto von Dentz,
Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
linux-bluetooth, linux-kernel
From: Jeremy Erazo <mendozayt13@gmail.com>
Hi Greg, Sasha, Luiz,
v2 respin. Two things fixed vs v1:
* The 40-char upstream SHA I put in the "commit <sha> upstream." line
of both patches was garbage. The 12-char prefix f4da3ee15de9 was
correct but I hand-expanded the tail wrong, so `git cat-file` on it
fails. Corrected to f4da3ee15de9944482382181329bb6d7335ca003.
Thanks Sasha for catching that.
* The v1 patches were asymmetric: 6.6.y accidentally carried the
put_user() hunk in iso_sock_getsockopt() that 6.1.y omitted. There
was no reason for that split; my mistake in v1. v2 drops the
put_user hunk from 6.6.y so both branches now carry identical
mechanics against their own net/bluetooth/iso.c (add #include
"eir.h", add EIR_BAA_SERVICE_UUID define, replace the memcpy() with
the eir_get_service_data() + bounds-check pattern). The put_user()
correction is a separate getsockopt correctness fix; if that hunk
is wanted in stable it should travel as its own patch.
Everything else in v1 still stands: root cause, affected branch matrix,
reachability, build verification. Re-stated below for the archive.
Root cause: upstream commit f4da3ee15de9944482382181329bb6d7335ca003
("Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID",
2023-09-28, mainline v6.7) addressed the OOB write in iso_connect_ind()
but landed without a Fixes: tag, so the stable autoselect bot never
picked it up. linux-6.6.y (v6.6.143) and linux-6.1.y (v6.1.176) both
still ship the pre-fix code where ev3->length, a __u8 in [0, 255],
drives memcpy() directly into iso_pi(sk)->base[248]. Values in
[249, 255] overflow 1 to 7 bytes into adjacent fields of struct
iso_pinfo, including the low bytes of iso_pi(sk)->conn. FORTIFY_SOURCE
flags the write but does not block it.
Affected branch matrix (as of today, 2026-07-07):
* linux-6.6.y (v6.6.143) vulnerable - patch 1/2
* linux-6.1.y (v6.1.176) vulnerable - patch 2/2
* linux-5.15.y NOT affected - iso_connect_ind PA-report
handling was introduced by
commit 9c0826310bfb in v6.5,
after 5.15.y branched.
Both patches carry the same three hunks against their own iso.c:
* add #include "eir.h"
* add #define EIR_BAA_SERVICE_UUID 0x1851
* replace the unbounded memcpy() with the upstream pattern
(eir_get_service_data() + base_len <= sizeof(iso_pi(sk)->base) guard)
Reachability of the underlying bug: any host with an ISO listening
socket bound as a broadcast sink (LE Audio / Auracast use case). No
pairing required, single HCI_EV_LE_PER_ADV_REPORT event within BLE
radio range.
Build verification: net/bluetooth/iso.o builds cleanly in both trees
with BT + BT_LE + BT_HCIVHCI enabled on x86_64 defconfig. No new
checkpatch errors; two warnings reported are "unknown commit id"
(shallow clone) and one long line in the backport-note paragraph.
I did not include a reproducer or PoC in this series because the fix
is the one Luiz/Claudia already landed upstream and there is no dispute
about the OOB write. A userspace reproducer against /dev/vhci exists
locally and is available on request if the maintainers want to confirm
on their side.
Changes in v2:
* Fix incorrect 40-char upstream SHA in the "upstream." line of both
patches (thanks Sasha).
* Drop the getsockopt put_user() hunk from 6.6.y so both patches are
symmetric.
Jeremy Erazo (2):
Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
net/bluetooth/iso.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--
2.53.0
^ permalink raw reply [flat|nested] 9+ messages in thread* [PATCH v2 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
2026-07-07 22:05 ` [PATCH v2 " Jeremy Erazo (Devel Group)
@ 2026-07-07 22:05 ` Jeremy Erazo (Devel Group)
2026-07-08 8:46 ` Greg Kroah-Hartman
2026-07-07 22:05 ` [PATCH v2 2/2 6.1.y] " Jeremy Erazo (Devel Group)
2026-07-09 1:04 ` [PATCH v2 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Sasha Levin
2 siblings, 1 reply; 9+ messages in thread
From: Jeremy Erazo (Devel Group) @ 2026-07-07 22:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, Sasha Levin, Luiz Augusto von Dentz,
Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
linux-bluetooth, linux-kernel
From: Jeremy Erazo <mendozayt13@gmail.com>
commit f4da3ee15de9944482382181329bb6d7335ca003 upstream.
Copy the content of a Periodic Advertisement Report to BASE only if
the service UUID is Basic Audio Announcement Service UUID.
[Stable backport rationale]
This fix landed in mainline v6.7 without a Fixes: tag, so the stable
autoselect bot never picked it up. linux-6.6.y HEAD (v6.6.143) still
carries the pre-fix code at net/bluetooth/iso.c:1935:
if (sk) {
memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
iso_pi(sk)->base_len = ev3->length;
}
ev3->length is __u8 and iso_pi(sk)->base is __u8[BASE_MAX_LENGTH] where
BASE_MAX_LENGTH is HCI_MAX_PER_AD_LENGTH(252) - EIR_SERVICE_DATA_LENGTH(4)
= 248. When an attacker within BLE radio range sends an HCI_EV_LE_PER_ADV_REPORT
with ev3->length in [249, 255], the memcpy writes 1 to 7 bytes past the
buffer into the trailing fields of struct iso_pinfo, including the low
bytes of the iso_pi(sk)->conn pointer. FORTIFY_SOURCE flags the write
with "memcpy: detected field-spanning write" but does not block it.
The upstream refactor addresses this by:
1. Filtering via eir_get_service_data() so only the BASE portion of
the PA payload is copied.
2. Bounding the copy with base_len <= sizeof(iso_pi(sk)->base).
Backport notes for 6.6.y:
* eir_get_service_data() is already declared in net/bluetooth/eir.h.
* The header include for eir.h and the EIR_BAA_SERVICE_UUID define
are added here, matching the upstream commit.
* The put_user() addition in iso_sock_getsockopt() that was part of
the same upstream commit is not included; that hunk is a separate
getsockopt correctness fix and is not required for the OOB write
fix (getsockopt(BT_ISO_BASE) is a controlled path that already
validates optlen against sizeof(iso_pi(sk)->base)). Applying the
getsockopt hunk here would risk a user-visible ABI change on a
stable branch.
Reachability: any host with an ISO listening socket bound as a
broadcast sink (LE Audio / Auracast). No pairing required.
Fixes: 9c0826310bfb ("Bluetooth: ISO: Add support for periodic adv reports processing")
Cc: stable@vger.kernel.org # 6.6.y
Signed-off-by: Claudia Draghicescu <claudia.rosu@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[jerazo: backport to 6.6.y; add #include "eir.h" and EIR_BAA_SERVICE_UUID define; drop unrelated getsockopt hunk]
Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
---
net/bluetooth/iso.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 011b2187b..3259c9c1e 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -15,6 +15,8 @@
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/iso.h>
+#include "eir.h"
+
static const struct proto_ops iso_sock_ops;
static struct bt_sock_list iso_sk_list = {
@@ -47,6 +49,7 @@ static void iso_sock_kill(struct sock *sk);
#define EIR_SERVICE_DATA_LENGTH 4
#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
+#define EIR_BAA_SERVICE_UUID 0x1851
/* iso_pinfo flags values */
enum {
@@ -1928,12 +1931,16 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
if (ev3) {
+ size_t base_len = ev3->length;
+ u8 *base;
+
sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
iso_match_sync_handle_pa_report, ev3);
-
- if (sk) {
- memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
- iso_pi(sk)->base_len = ev3->length;
+ base = eir_get_service_data(ev3->data, ev3->length,
+ EIR_BAA_SERVICE_UUID, &base_len);
+ if (base && sk && base_len <= sizeof(iso_pi(sk)->base)) {
+ memcpy(iso_pi(sk)->base, base, base_len);
+ iso_pi(sk)->base_len = base_len;
}
} else {
sk = iso_get_sock_listen(&hdev->bdaddr, BDADDR_ANY, NULL, NULL);
--
2.53.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH v2 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
2026-07-07 22:05 ` [PATCH v2 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo (Devel Group)
@ 2026-07-08 8:46 ` Greg Kroah-Hartman
0 siblings, 0 replies; 9+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-08 8:46 UTC (permalink / raw)
To: Jeremy Erazo (Devel Group)
Cc: stable, Sasha Levin, Luiz Augusto von Dentz, Marcel Holtmann,
Johan Hedberg, Claudia Draghicescu, linux-bluetooth, linux-kernel
On Tue, Jul 07, 2026 at 10:05:25PM +0000, Jeremy Erazo (Devel Group) wrote:
> From: Jeremy Erazo <mendozayt13@gmail.com>
>
> commit f4da3ee15de9944482382181329bb6d7335ca003 upstream.
>
> Copy the content of a Periodic Advertisement Report to BASE only if
> the service UUID is Basic Audio Announcement Service UUID.
>
> [Stable backport rationale]
>
> This fix landed in mainline v6.7 without a Fixes: tag, so the stable
> autoselect bot never picked it up. linux-6.6.y HEAD (v6.6.143) still
> carries the pre-fix code at net/bluetooth/iso.c:1935:
>
> if (sk) {
> memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
> iso_pi(sk)->base_len = ev3->length;
> }
>
> ev3->length is __u8 and iso_pi(sk)->base is __u8[BASE_MAX_LENGTH] where
> BASE_MAX_LENGTH is HCI_MAX_PER_AD_LENGTH(252) - EIR_SERVICE_DATA_LENGTH(4)
> = 248. When an attacker within BLE radio range sends an HCI_EV_LE_PER_ADV_REPORT
> with ev3->length in [249, 255], the memcpy writes 1 to 7 bytes past the
> buffer into the trailing fields of struct iso_pinfo, including the low
> bytes of the iso_pi(sk)->conn pointer. FORTIFY_SOURCE flags the write
> with "memcpy: detected field-spanning write" but does not block it.
>
> The upstream refactor addresses this by:
> 1. Filtering via eir_get_service_data() so only the BASE portion of
> the PA payload is copied.
> 2. Bounding the copy with base_len <= sizeof(iso_pi(sk)->base).
>
> Backport notes for 6.6.y:
> * eir_get_service_data() is already declared in net/bluetooth/eir.h.
> * The header include for eir.h and the EIR_BAA_SERVICE_UUID define
> are added here, matching the upstream commit.
> * The put_user() addition in iso_sock_getsockopt() that was part of
> the same upstream commit is not included; that hunk is a separate
> getsockopt correctness fix and is not required for the OOB write
> fix (getsockopt(BT_ISO_BASE) is a controlled path that already
> validates optlen against sizeof(iso_pi(sk)->base)). Applying the
> getsockopt hunk here would risk a user-visible ABI change on a
> stable branch.
>
> Reachability: any host with an ISO listening socket bound as a
> broadcast sink (LE Audio / Auracast). No pairing required.
>
> Fixes: 9c0826310bfb ("Bluetooth: ISO: Add support for periodic adv reports processing")
> Cc: stable@vger.kernel.org # 6.6.y
> Signed-off-by: Claudia Draghicescu <claudia.rosu@nxp.com>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> [jerazo: backport to 6.6.y; add #include "eir.h" and EIR_BAA_SERVICE_UUID define; drop unrelated getsockopt hunk]
But eir.h was included in the original commit, you added it in a
different place from the original, why? Please try to keep changes as
close to upstream as possible when backporting.
Please fix this up and resend.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v2 2/2 6.1.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID
2026-07-07 22:05 ` [PATCH v2 " Jeremy Erazo (Devel Group)
2026-07-07 22:05 ` [PATCH v2 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo (Devel Group)
@ 2026-07-07 22:05 ` Jeremy Erazo (Devel Group)
2026-07-09 1:04 ` [PATCH v2 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y Sasha Levin
2 siblings, 0 replies; 9+ messages in thread
From: Jeremy Erazo (Devel Group) @ 2026-07-07 22:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, Sasha Levin, Luiz Augusto von Dentz,
Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
linux-bluetooth, linux-kernel
From: Jeremy Erazo <mendozayt13@gmail.com>
commit f4da3ee15de9944482382181329bb6d7335ca003 upstream.
Copy the content of a Periodic Advertisement Report to BASE only if
the service UUID is Basic Audio Announcement Service UUID.
[Stable backport rationale]
This fix landed in mainline v6.7 without a Fixes: tag, so the stable
autoselect bot never picked it up. linux-6.1.y HEAD (v6.1.176) still
carries the pre-fix code at net/bluetooth/iso.c:1613:
if (sk) {
memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
iso_pi(sk)->base_len = ev3->length;
}
ev3->length is __u8 and iso_pi(sk)->base is __u8[BASE_MAX_LENGTH] where
BASE_MAX_LENGTH is HCI_MAX_PER_AD_LENGTH(252) - EIR_SERVICE_DATA_LENGTH(4)
= 248. When an attacker within BLE radio range sends an HCI_EV_LE_PER_ADV_REPORT
with ev3->length in [249, 255], the memcpy writes 1 to 7 bytes past the
buffer into the trailing fields of struct iso_pinfo, including the low
bytes of the iso_pi(sk)->conn pointer. FORTIFY_SOURCE flags the write
with "memcpy: detected field-spanning write" but does not block it.
The upstream refactor addresses this by:
1. Filtering via eir_get_service_data() so only the BASE portion of
the PA payload is copied.
2. Bounding the copy with base_len <= sizeof(iso_pi(sk)->base).
Backport notes for 6.1.y:
* eir_get_service_data() is already declared in net/bluetooth/eir.h.
* The header include for eir.h and the EIR_BAA_SERVICE_UUID define
are added here, matching the upstream commit.
* The put_user() addition in iso_sock_getsockopt() that was part of
the same upstream commit is not included; that hunk is a separate
getsockopt correctness fix and is not required for the OOB write
fix (getsockopt(BT_ISO_BASE) is a controlled path that already
validates optlen against sizeof(iso_pi(sk)->base)). Applying the
getsockopt hunk here would risk a user-visible ABI change on a
stable branch.
Reachability: any host with an ISO listening socket bound as a
broadcast sink (LE Audio / Auracast). No pairing required.
Fixes: 9c0826310bfb ("Bluetooth: ISO: Add support for periodic adv reports processing")
Cc: stable@vger.kernel.org # 6.1.y
Signed-off-by: Claudia Draghicescu <claudia.rosu@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[jerazo: backport to 6.1.y; add #include "eir.h" and EIR_BAA_SERVICE_UUID define; drop unrelated getsockopt hunk]
Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
---
net/bluetooth/iso.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 7ea3e6335..6b8622bec 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -14,6 +14,8 @@
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/iso.h>
+#include "eir.h"
+
static const struct proto_ops iso_sock_ops;
static struct bt_sock_list iso_sk_list = {
@@ -46,6 +48,7 @@ static void iso_sock_kill(struct sock *sk);
#define EIR_SERVICE_DATA_LENGTH 4
#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
+#define EIR_BAA_SERVICE_UUID 0x1851
struct iso_pinfo {
struct bt_sock bt;
@@ -1606,12 +1609,16 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
if (ev3) {
+ size_t base_len = ev3->length;
+ u8 *base;
+
sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
iso_match_sync_handle_pa_report, ev3);
-
- if (sk) {
- memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
- iso_pi(sk)->base_len = ev3->length;
+ base = eir_get_service_data(ev3->data, ev3->length,
+ EIR_BAA_SERVICE_UUID, &base_len);
+ if (base && sk && base_len <= sizeof(iso_pi(sk)->base)) {
+ memcpy(iso_pi(sk)->base, base, base_len);
+ iso_pi(sk)->base_len = base_len;
}
} else {
sk = iso_get_sock_listen(&hdev->bdaddr, BDADDR_ANY, NULL, NULL);
--
2.53.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH v2 0/2] Bluetooth: ISO: backport missed OOB write fix to 6.6.y and 6.1.y
2026-07-07 22:05 ` [PATCH v2 " Jeremy Erazo (Devel Group)
2026-07-07 22:05 ` [PATCH v2 1/2 6.6.y] Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID Jeremy Erazo (Devel Group)
2026-07-07 22:05 ` [PATCH v2 2/2 6.1.y] " Jeremy Erazo (Devel Group)
@ 2026-07-09 1:04 ` Sasha Levin
2 siblings, 0 replies; 9+ messages in thread
From: Sasha Levin @ 2026-07-09 1:04 UTC (permalink / raw)
To: stable
Cc: Sasha Levin, Greg Kroah-Hartman, Luiz Augusto von Dentz,
Marcel Holtmann, Johan Hedberg, Claudia Draghicescu,
linux-bluetooth, linux-kernel, Jeremy Erazo (Devel Group)
> Root cause: upstream commit f4da3ee15de9944482382181329bb6d7335ca003
> ("Bluetooth: ISO: Copy BASE if service data matches EIR_BAA_SERVICE_UUID",
> 2023-09-28, mainline v6.7) addressed the OOB write in iso_connect_ind()
> but landed without a Fixes: tag, so the stable autoselect bot never
> picked it up.
The upstream commit cherry-picks cleanly onto both trees, so I've queued
f4da3ee15de994 directly for 6.6 and 6.1 instead of the v2 patches. That
keeps the eir.h include placement identical to upstream (addressing
Greg's review) and also carries the getsockopt put_user() hunk as part
of the original commit. No need for a v3.
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 9+ messages in thread