From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-yx1-f47.google.com (mail-yx1-f47.google.com [74.125.224.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AC5973C2782
	for <linux-kernel@vger.kernel.org>; Mon, 20 Apr 2026 19:17:34 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=74.125.224.47
ARC-Seal:i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776712656; cv=pass; b=KQaNMhOBMJJkjk89ZJHKUTirAxHXofx8mUyHxMSl++VtTkRaEOHo6Tqu9lNzAFNDmCrQ7RWawm3YaGQQ+zBQfqXJ3BR6mwMaH2y3oFbKFER4R2PxBaJ0s7Ai8aBCPfk8TkILpTEipbMrr24/YqZ9HDyP4NShsGuxOS9lbwAxF8Q=
ARC-Message-Signature:i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776712656; c=relaxed/simple;
	bh=e/y0Pfu4Dq1Q5qmvf4rLxAev2cdUMuF47zxeKhZGvt8=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Cc:Content-Type; b=t8sv3m1pl7DUFXVvUCW25G7YMUIWV0STRcUsvTY8RnAnsflxXghz2TElRnOT/5REKd8a64nUYUMIROXveFjaukApwhzk9twTrJP2t9b7z5qR0Rx9VX7ISL5frz6UYcj1rX+A5Si6clIt5m/04TXbIcindAbzK1/PFEwUhx+IHNo=
ARC-Authentication-Results:i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=bxVivFAV; arc=pass smtp.client-ip=74.125.224.47
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="bxVivFAV"
Received: by mail-yx1-f47.google.com with SMTP id 956f58d0204a3-650789b22e3so3896906d50.1
        for <linux-kernel@vger.kernel.org>; Mon, 20 Apr 2026 12:17:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1776712654; cv=none;
        d=google.com; s=arc-20240605;
        b=biIEbUI0wlXkgokZhlVyH1vvOX9y5aVuhQEcfA/5GHfanrax9eVhuHspMAiOa4wL5/
         nDg972o43BnC+JVxe27t1cHqTrEnPa5ueZSRWxZcozUYv6nK5SJENZNBvOa0RywRYUuW
         Eoq8gqLY8sKOJd6qg7onRpvbFNsMT+gLaB5Dl14MMc9hKIl4pT1N4k+CIp+sHdr9YKwR
         mk09/xUl5QlzrAoeCXKC8UsFXMtZqcBtIthhSaXRIH6cuBOKaxArY74h1FXpMB4IGJkv
         WDEZoTM88z9B0WAlh0nrZj65zRed0GBi9K8QJNmFgcRXzEQK1y2fmYNV70k0+RtY7Ltf
         eO+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=LqId3eMMe5rDOg5MnTzpXj8ZIYTviI3UDAXasv1bsS0=;
        fh=O4ORY2Qa1XfGKV6qhPxS47f4FB7WIS3wqeJeOnYAQ0I=;
        b=NBrQPChzBS0+YrfgR762Frmsf5ck97fpN1ZfC8yD5RdV22uNufvu7IGtkPVjWwMbj0
         dJutqE/fvt1luP0aqfvwaR1QOJixS7woanqFH0cx7cDGzjpQ8OT1UfH7/k3Ju6RpyfOi
         HyUgjkbFF9haGt7Rbh9cyVCQIcycFWr6XPhIlksjfgGyz+KdVgzlrilFF/Zjdv6oKgQW
         5Z4rKEOkjHSXbX6aeWhtJTDrygkskb7sRzRK4fUeUigo34GrbVuDwVhY1lppq+yO3xQC
         BZj45TdiSGde5rnyW5ErsJlT5cKsIXgmNLBxrMuvc3a5CStz7uDNC8e308Ab7GJga3Jw
         sGqg==;
        darn=vger.kernel.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776712654; x=1777317454; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=LqId3eMMe5rDOg5MnTzpXj8ZIYTviI3UDAXasv1bsS0=;
        b=bxVivFAVnVq3IZw7WMoc9EZ4j7+Tu7LRD4xSgq5a4WgVGFApHCYG1lz0ALCigOpICa
         LTRmdtTR8s0BMyFbxrLG2DTe7BK2V+/zq10lP+9RRjyu0psSKK190AG4xYlm2Ay0Es+0
         v7kt+5NwGDvPRch/rlWv7ZYcYSBH3+i9mW/WQpnFwQW5nX7HaMJfCh3yfro4LLgpPUwP
         sHmD0uctoueWDNogP6i+AZtuWhLHsh78VM0iurdaT5EID7H+/nbnVYuTfLpvnf1iIY6l
         CXug1L5JsDmvUlV8C5sUKMWGDDVtiY/w8rsj1s71ORPgnj0DMAEpWQWcPo+rA3yGjj/k
         XzFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776712654; x=1777317454;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=LqId3eMMe5rDOg5MnTzpXj8ZIYTviI3UDAXasv1bsS0=;
        b=nApN/zEKYHc0nsgp84F+iqkvEMF4sejp75g/bMtlwMRZ/HUBEzLxOYgKsXhQw1qZj3
         2LODLzRzWiW+NpENr2cW1rZ8L7JVmlMxCngmvzt6L7tlzjjfPVn4CpJZyujhmkAeBX9U
         QgJhbAMM+Mr+FvdXU+A/YlNcSxKbSQUnQh5TK/NpRDI7E7W47O/Ckm5cy3/EmSZSJBoT
         UzasFYwMvYuLe71aerXTDtCY7nRtfFy50f31wqIoXeQX9ajEwKczElle6NHJIOKrkwMk
         5IrbHEeEozKST0mk3esytBuXjwB0/NtSr77q0DjorzL/B+S1ncXylon6EWyFS3qpfDhc
         6+8Q==
X-Forwarded-Encrypted: i=1; AFNElJ/ODwDYce9xeI4A7GvmDhL0uDjp06ZvOdwPaVXUOCgSDGAdBh7+KF7GTMZcjbqPtFvPHplsTfi7qYS9veY=@vger.kernel.org
X-Gm-Message-State: AOJu0YzFrCcaIxrp17dy3836bM+jJwZboxYHPyDxqQXoAhkCMdYtm/0R
	q0t8y6ucdoQPG0x4dT38J4Fqhyj8n/iw1/fY4hQhvK+tFa+Q4E6/Mv2pphIU1RKa2nV2FxkFLdR
	q1Y26MN36CSbTnBlObmGQ/YKb0khqZVtxDnQ1UAQ=
X-Gm-Gg: AeBDiesIjN3O/rrEkYGPoy/MVATVmHw8tzlpC53aE4qsoKDLJ47ISD+ID4hVwundw3P
	Ndbn7uoADovqUgidj8vuzb93AJ7x0E+D21fhWA6WQLG8oihaMjLSgcNNAxgLxJpNVxjNweMejo2
	LiIXXZHE/YtQ6uOjr1jk4927vzN0GbdsFn/qOsthpcmGGP/hzmTJ4N0hbZpd6J0uWkwnYypWcXD
	ltW5WZKRX7r94sc4ERzH3cEeIFLaFdUbjH0RRFzFpzzAwu1vvGzVlBMeClDl2LCli84FL2A2ecY
	b4rUhh9qa0w1RoyIjXQubZ6AR/H6fmueNCAWAr9vQ7hwuUbRYNgkUbfRV+f8qw8zya5Cc1V7E8i
	vkQ==
X-Received: by 2002:a05:690e:4141:b0:650:2ff9:d656 with SMTP id
 956f58d0204a3-653108b5176mr14907504d50.29.1776712653576; Mon, 20 Apr 2026
 12:17:33 -0700 (PDT)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <20260418000138.1848813-1-michael.bommarito@gmail.com>
In-Reply-To: <20260418000138.1848813-1-michael.bommarito@gmail.com>
From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Date: Mon, 20 Apr 2026 15:17:20 -0400
X-Gm-Features: AQROBzB7p2eqNslJGxxV9DmwoYgd1f6Ag_8dEyj71H75g_Ar-pjlqehIUD42okY
Message-ID: <CABBYNZKP-Rwumw0c7FHEsL5e6XpFZCBA-O2avNujtYgRHeVZhA@mail.gmail.com>
Subject: Re: [PATCH] Bluetooth: virtio_bt: clamp rx length before skb_put
To: Michael Bommarito <michael.bommarito@gmail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>, linux-bluetooth@vger.kernel.org, 
	linux-kernel@vger.kernel.org, Soenke Huster <soenke.huster@eknoes.de>, 
	"Michael S . Tsirkin" <mst@redhat.com>, virtualization@lists.linux.dev
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Michael,

On Fri, Apr 17, 2026 at 8:01=E2=80=AFPM Michael Bommarito
<michael.bommarito@gmail.com> wrote:
>
> virtbt_rx_work() calls skb_put(skb, len) where len comes directly
> from virtqueue_get_buf() with no validation against the skb we
> posted.  The RX skb is allocated as alloc_skb(1000) in
> virtbt_add_inbuf().  A malicious or buggy virtio-bt backend that
> reports used.len larger than the skb's tailroom causes skb_put() to
> call skb_over_panic() in net/core/skbuff.c, which triggers
> BUG() and panics the guest.
>
> Reproduced on a QEMU 9.0 whose virtio-bt backend reports
> used.len =3D 4096 into a 1000-byte rx skb:
>
>   skbuff: skb_over_panic: text:ffffffff83958e84 len:4096 put:4096
>       head:ffff88800c071000 data:ffff88800c071000 tail:0x1000
>       end:0x6c0 dev:<NULL>
>   ------------[ cut here ]------------
>   kernel BUG at net/core/skbuff.c:214!
>   Call Trace:
>    skb_panic+0x160/0x162
>    skb_put.cold+0x31/0x31
>    virtbt_rx_work+0x94/0x250
>    process_one_work+0x80d/0x1510
>    worker_thread+0x4af/0xd20
>    kthread+0x2cc/0x3a0
>
> Reject any len that exceeds skb_tailroom().  Drop the skb on the
> error path; virtbt_add_inbuf() reposts a fresh one for the next
> iteration.  With the check in place the same harness runs without
> BUG(); the driver logs "rx reply len %u exceeds skb tailroom %u"
> and the device keeps running.
>
> Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer overflow in=
 USB transport layer"),
> which hardened the USB 9p transport against unchecked device-reported len=
gth.
>
> Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length")
> Cc: stable@vger.kernel.org
> Cc: Soenke Huster <soenke.huster@eknoes.de>
> Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
> Assisted-by: Claude:claude-opus-4-7
> ---
>  drivers/bluetooth/virtio_bt.c | 11 +++++++++--
>  1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/bluetooth/virtio_bt.c b/drivers/bluetooth/virtio_bt.=
c
> index 76d61af8a275..157e68b6e75f 100644
> --- a/drivers/bluetooth/virtio_bt.c
> +++ b/drivers/bluetooth/virtio_bt.c
> @@ -227,8 +227,15 @@ static void virtbt_rx_work(struct work_struct *work)
>         if (!skb)
>                 return;
>
> -       skb_put(skb, len);
> -       virtbt_rx_handle(vbt, skb);
> +       if (len > skb_tailroom(skb)) {
> +               bt_dev_err(vbt->hdev,
> +                          "rx reply len %u exceeds skb tailroom %u\n",
> +                          len, skb_tailroom(skb));
> +               kfree_skb(skb);
> +       } else {
> +               skb_put(skb, len);
> +               virtbt_rx_handle(vbt, skb);
> +       }
>
>         if (virtbt_add_inbuf(vbt) < 0)
>                 return;
> --
> 2.53.0

https://sashiko.dev/#/patchset/20260418000138.1848813-1-michael.bommarito%4=
0gmail.com

All seem like valid comments to me, first one is odd to me thought,
never would have though that skb_tailroom wouldn't be enough to check
if using `skb_put` is safe.

--=20
Luiz Augusto von Dentz