* [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
@ 2026-04-17 10:46 Tristan Madani
2026-04-17 12:55 ` Neal Gompa
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Tristan Madani @ 2026-04-17 10:46 UTC (permalink / raw)
To: linux-bluetooth; +Cc: luiz.dentz, marcel, sven, marcan, asahi, stable
From: Tristan Madani <tristan@talencesecurity.com>
The firmware-controlled entry->len is used as the memcpy size for inline
payload data without bounds checking when the PAYLOAD_MAPPED flag is not
set. This causes out-of-bounds reads from the completion ring DMA memory
for the HCI_D2H and SCO_D2H transfer rings.
Add a length validation against the completion ring payload_size.
Fixes: 8a06127602de ("Bluetooth: hci_bcm4377: Add new driver for BCM4377 PCIe boards")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/bluetooth/hci_bcm4377.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/bluetooth/hci_bcm4377.c b/drivers/bluetooth/hci_bcm4377.c
index 925d0a635..5d2f594c2 100644
--- a/drivers/bluetooth/hci_bcm4377.c
+++ b/drivers/bluetooth/hci_bcm4377.c
@@ -755,6 +755,13 @@ static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
msg_id = le16_to_cpu(entry->msg_id);
transfer_ring = le16_to_cpu(entry->ring_id);
+ if (data_len > ring->payload_size) {
+ dev_warn(&bcm4377->pdev->dev,
+ "event data len %zu exceeds payload size %zu for ring %d\n",
+ data_len, ring->payload_size, ring->ring_id);
+ return;
+ }
+
if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
dev_warn(
&bcm4377->pdev->dev,
--
2.47.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
@ 2026-04-17 12:55 ` Neal Gompa
2026-04-20 20:37 ` Luiz Augusto von Dentz
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Neal Gompa @ 2026-04-17 12:55 UTC (permalink / raw)
To: Tristan Madani
Cc: linux-bluetooth, luiz.dentz, marcel, sven, marcan, asahi, stable
On Fri, Apr 17, 2026 at 6:49 AM Tristan Madani <tristmd@gmail.com> wrote:
>
> From: Tristan Madani <tristan@talencesecurity.com>
>
> The firmware-controlled entry->len is used as the memcpy size for inline
> payload data without bounds checking when the PAYLOAD_MAPPED flag is not
> set. This causes out-of-bounds reads from the completion ring DMA memory
> for the HCI_D2H and SCO_D2H transfer rings.
>
> Add a length validation against the completion ring payload_size.
>
> Fixes: 8a06127602de ("Bluetooth: hci_bcm4377: Add new driver for BCM4377 PCIe boards")
> Cc: stable@vger.kernel.org
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
> ---
> drivers/bluetooth/hci_bcm4377.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/bluetooth/hci_bcm4377.c b/drivers/bluetooth/hci_bcm4377.c
> index 925d0a635..5d2f594c2 100644
> --- a/drivers/bluetooth/hci_bcm4377.c
> +++ b/drivers/bluetooth/hci_bcm4377.c
> @@ -755,6 +755,13 @@ static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
> msg_id = le16_to_cpu(entry->msg_id);
> transfer_ring = le16_to_cpu(entry->ring_id);
>
> + if (data_len > ring->payload_size) {
> + dev_warn(&bcm4377->pdev->dev,
> + "event data len %zu exceeds payload size %zu for ring %d\n",
> + data_len, ring->payload_size, ring->ring_id);
> + return;
> + }
> +
> if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
> dev_warn(
> &bcm4377->pdev->dev,
> --
> 2.47.3
>
>
Seems sensible enough.
Reviewed-by: Neal Gompa <neal@gompa.dev>
--
真実はいつも一つ!/ Always, there's only one truth!
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
2026-04-17 12:55 ` Neal Gompa
@ 2026-04-20 20:37 ` Luiz Augusto von Dentz
2026-04-21 14:36 ` kernel test robot
2026-04-21 15:50 ` kernel test robot
3 siblings, 0 replies; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2026-04-20 20:37 UTC (permalink / raw)
To: Tristan Madani; +Cc: linux-bluetooth, marcel, sven, marcan, asahi, stable
Hi Tristan,
On Fri, Apr 17, 2026 at 6:46 AM Tristan Madani <tristmd@gmail.com> wrote:
>
> From: Tristan Madani <tristan@talencesecurity.com>
>
> The firmware-controlled entry->len is used as the memcpy size for inline
> payload data without bounds checking when the PAYLOAD_MAPPED flag is not
> set. This causes out-of-bounds reads from the completion ring DMA memory
> for the HCI_D2H and SCO_D2H transfer rings.
>
> Add a length validation against the completion ring payload_size.
>
> Fixes: 8a06127602de ("Bluetooth: hci_bcm4377: Add new driver for BCM4377 PCIe boards")
> Cc: stable@vger.kernel.org
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
> ---
> drivers/bluetooth/hci_bcm4377.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/bluetooth/hci_bcm4377.c b/drivers/bluetooth/hci_bcm4377.c
> index 925d0a635..5d2f594c2 100644
> --- a/drivers/bluetooth/hci_bcm4377.c
> +++ b/drivers/bluetooth/hci_bcm4377.c
> @@ -755,6 +755,13 @@ static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
> msg_id = le16_to_cpu(entry->msg_id);
> transfer_ring = le16_to_cpu(entry->ring_id);
>
> + if (data_len > ring->payload_size) {
> + dev_warn(&bcm4377->pdev->dev,
> + "event data len %zu exceeds payload size %zu for ring %d\n",
> + data_len, ring->payload_size, ring->ring_id);
> + return;
> + }
> +
> if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
> dev_warn(
> &bcm4377->pdev->dev,
> --
> 2.47.3
https://sashiko.dev/#/patchset/20260417104639.2608008-1-tristmd%40gmail.com
Comments seem valid.
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
2026-04-17 12:55 ` Neal Gompa
2026-04-20 20:37 ` Luiz Augusto von Dentz
@ 2026-04-21 14:36 ` kernel test robot
2026-04-21 15:50 ` kernel test robot
3 siblings, 0 replies; 5+ messages in thread
From: kernel test robot @ 2026-04-21 14:36 UTC (permalink / raw)
To: Tristan Madani, linux-bluetooth
Cc: llvm, oe-kbuild-all, luiz.dentz, marcel, sven, marcan, asahi,
stable
Hi Tristan,
kernel test robot noticed the following build warnings:
[auto build test WARNING on bluetooth/master]
[also build test WARNING on bluetooth-next/master linus/master v7.0 next-20260420]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Tristan-Madani/Bluetooth-hci_bcm4377-validate-firmware-event-length-in-completion-ring/20260420-161359
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
patch link: https://lore.kernel.org/r/20260417104639.2608008-1-tristmd%40gmail.com
patch subject: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
config: um-allmodconfig (https://download.01.org/0day-ci/archive/20260421/202604212248.Sek1Tdfg-lkp@intel.com/config)
compiler: clang version 19.1.7 (https://github.com/llvm/llvm-project cd708029e0b2869e80abe31ddb175f7c35361f90)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260421/202604212248.Sek1Tdfg-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604212248.Sek1Tdfg-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from drivers/bluetooth/hci_bcm4377.c:11:
In file included from include/linux/dma-mapping.h:8:
In file included from include/linux/scatterlist.h:9:
In file included from arch/um/include/asm/io.h:24:
include/asm-generic/io.h:1209:55: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
1209 | return (port > MMIO_UPPER_LIMIT) ? NULL : PCI_IOBASE + port;
| ~~~~~~~~~~ ^
>> drivers/bluetooth/hci_bcm4377.c:761:15: warning: format specifies type 'size_t' (aka 'unsigned long') but the argument has type 'u16' (aka 'unsigned short') [-Wformat]
760 | "event data len %zu exceeds payload size %zu for ring %d\n",
| ~~~
| %hu
761 | data_len, ring->payload_size, ring->ring_id);
| ^~~~~~~~~~~~~~~~~~
include/linux/dev_printk.h:156:70: note: expanded from macro 'dev_warn'
156 | dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ~~~ ^~~~~~~~~~~
include/linux/dev_printk.h:110:23: note: expanded from macro 'dev_printk_index_wrap'
110 | _p_func(dev, fmt, ##__VA_ARGS__); \
| ~~~ ^~~~~~~~~~~
2 warnings generated.
vim +761 drivers/bluetooth/hci_bcm4377.c
734
735 static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
736 struct bcm4377_completion_ring *ring,
737 u16 pos)
738 {
739 struct bcm4377_completion_ring_entry *entry;
740 u16 msg_id, transfer_ring;
741 size_t entry_size, data_len;
742 void *data;
743
744 if (pos >= ring->n_entries) {
745 dev_warn(&bcm4377->pdev->dev,
746 "invalid offset %d for completion ring %d\n", pos,
747 ring->ring_id);
748 return;
749 }
750
751 entry_size = sizeof(*entry) + ring->payload_size;
752 entry = ring->ring + pos * entry_size;
753 data = ring->ring + pos * entry_size + sizeof(*entry);
754 data_len = le32_to_cpu(entry->len);
755 msg_id = le16_to_cpu(entry->msg_id);
756 transfer_ring = le16_to_cpu(entry->ring_id);
757
758 if (data_len > ring->payload_size) {
759 dev_warn(&bcm4377->pdev->dev,
760 "event data len %zu exceeds payload size %zu for ring %d\n",
> 761 data_len, ring->payload_size, ring->ring_id);
762 return;
763 }
764
765 if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
766 dev_warn(
767 &bcm4377->pdev->dev,
768 "invalid entry at offset %d for transfer ring %d in completion ring %d\n",
769 pos, transfer_ring, ring->ring_id);
770 return;
771 }
772
773 dev_dbg(&bcm4377->pdev->dev,
774 "entry in completion ring %d for transfer ring %d with msg_id %d\n",
775 ring->ring_id, transfer_ring, msg_id);
776
777 switch (transfer_ring) {
778 case BCM4377_XFER_RING_CONTROL:
779 bcm4377_handle_ack(bcm4377, &bcm4377->control_h2d_ring, msg_id);
780 break;
781 case BCM4377_XFER_RING_HCI_H2D:
782 bcm4377_handle_ack(bcm4377, &bcm4377->hci_h2d_ring, msg_id);
783 break;
784 case BCM4377_XFER_RING_SCO_H2D:
785 bcm4377_handle_ack(bcm4377, &bcm4377->sco_h2d_ring, msg_id);
786 break;
787 case BCM4377_XFER_RING_ACL_H2D:
788 bcm4377_handle_ack(bcm4377, &bcm4377->acl_h2d_ring, msg_id);
789 break;
790
791 case BCM4377_XFER_RING_HCI_D2H:
792 bcm4377_handle_event(bcm4377, &bcm4377->hci_d2h_ring, msg_id,
793 entry->flags, HCI_EVENT_PKT, data,
794 data_len);
795 break;
796 case BCM4377_XFER_RING_SCO_D2H:
797 bcm4377_handle_event(bcm4377, &bcm4377->sco_d2h_ring, msg_id,
798 entry->flags, HCI_SCODATA_PKT, data,
799 data_len);
800 break;
801 case BCM4377_XFER_RING_ACL_D2H:
802 bcm4377_handle_event(bcm4377, &bcm4377->acl_d2h_ring, msg_id,
803 entry->flags, HCI_ACLDATA_PKT, data,
804 data_len);
805 break;
806
807 default:
808 dev_warn(
809 &bcm4377->pdev->dev,
810 "entry in completion ring %d for unknown transfer ring %d with msg_id %d\n",
811 ring->ring_id, transfer_ring, msg_id);
812 }
813 }
814
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
` (2 preceding siblings ...)
2026-04-21 14:36 ` kernel test robot
@ 2026-04-21 15:50 ` kernel test robot
3 siblings, 0 replies; 5+ messages in thread
From: kernel test robot @ 2026-04-21 15:50 UTC (permalink / raw)
To: Tristan Madani, linux-bluetooth
Cc: oe-kbuild-all, luiz.dentz, marcel, sven, marcan, asahi, stable
Hi Tristan,
kernel test robot noticed the following build warnings:
[auto build test WARNING on bluetooth/master]
[also build test WARNING on bluetooth-next/master linus/master v7.0 next-20260420]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Tristan-Madani/Bluetooth-hci_bcm4377-validate-firmware-event-length-in-completion-ring/20260420-161359
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
patch link: https://lore.kernel.org/r/20260417104639.2608008-1-tristmd%40gmail.com
patch subject: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
config: um-allyesconfig (https://download.01.org/0day-ci/archive/20260422/202604220005.gyhLDa7b-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260422/202604220005.gyhLDa7b-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604220005.gyhLDa7b-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from include/linux/device.h:15,
from include/linux/async.h:14,
from drivers/bluetooth/hci_bcm4377.c:8:
drivers/bluetooth/hci_bcm4377.c: In function 'bcm4377_handle_completion':
>> drivers/bluetooth/hci_bcm4377.c:760:26: warning: format '%zu' expects argument of type 'size_t', but argument 4 has type 'int' [-Wformat=]
760 | "event data len %zu exceeds payload size %zu for ring %d\n",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/dev_printk.h:110:30: note: in definition of macro 'dev_printk_index_wrap'
110 | _p_func(dev, fmt, ##__VA_ARGS__); \
| ^~~
include/linux/dev_printk.h:156:61: note: in expansion of macro 'dev_fmt'
156 | dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ^~~~~~~
drivers/bluetooth/hci_bcm4377.c:759:17: note: in expansion of macro 'dev_warn'
759 | dev_warn(&bcm4377->pdev->dev,
| ^~~~~~~~
drivers/bluetooth/hci_bcm4377.c:760:69: note: format string is defined here
760 | "event data len %zu exceeds payload size %zu for ring %d\n",
| ~~^
| |
| long unsigned int
| %u
vim +760 drivers/bluetooth/hci_bcm4377.c
734
735 static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
736 struct bcm4377_completion_ring *ring,
737 u16 pos)
738 {
739 struct bcm4377_completion_ring_entry *entry;
740 u16 msg_id, transfer_ring;
741 size_t entry_size, data_len;
742 void *data;
743
744 if (pos >= ring->n_entries) {
745 dev_warn(&bcm4377->pdev->dev,
746 "invalid offset %d for completion ring %d\n", pos,
747 ring->ring_id);
748 return;
749 }
750
751 entry_size = sizeof(*entry) + ring->payload_size;
752 entry = ring->ring + pos * entry_size;
753 data = ring->ring + pos * entry_size + sizeof(*entry);
754 data_len = le32_to_cpu(entry->len);
755 msg_id = le16_to_cpu(entry->msg_id);
756 transfer_ring = le16_to_cpu(entry->ring_id);
757
758 if (data_len > ring->payload_size) {
759 dev_warn(&bcm4377->pdev->dev,
> 760 "event data len %zu exceeds payload size %zu for ring %d\n",
761 data_len, ring->payload_size, ring->ring_id);
762 return;
763 }
764
765 if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
766 dev_warn(
767 &bcm4377->pdev->dev,
768 "invalid entry at offset %d for transfer ring %d in completion ring %d\n",
769 pos, transfer_ring, ring->ring_id);
770 return;
771 }
772
773 dev_dbg(&bcm4377->pdev->dev,
774 "entry in completion ring %d for transfer ring %d with msg_id %d\n",
775 ring->ring_id, transfer_ring, msg_id);
776
777 switch (transfer_ring) {
778 case BCM4377_XFER_RING_CONTROL:
779 bcm4377_handle_ack(bcm4377, &bcm4377->control_h2d_ring, msg_id);
780 break;
781 case BCM4377_XFER_RING_HCI_H2D:
782 bcm4377_handle_ack(bcm4377, &bcm4377->hci_h2d_ring, msg_id);
783 break;
784 case BCM4377_XFER_RING_SCO_H2D:
785 bcm4377_handle_ack(bcm4377, &bcm4377->sco_h2d_ring, msg_id);
786 break;
787 case BCM4377_XFER_RING_ACL_H2D:
788 bcm4377_handle_ack(bcm4377, &bcm4377->acl_h2d_ring, msg_id);
789 break;
790
791 case BCM4377_XFER_RING_HCI_D2H:
792 bcm4377_handle_event(bcm4377, &bcm4377->hci_d2h_ring, msg_id,
793 entry->flags, HCI_EVENT_PKT, data,
794 data_len);
795 break;
796 case BCM4377_XFER_RING_SCO_D2H:
797 bcm4377_handle_event(bcm4377, &bcm4377->sco_d2h_ring, msg_id,
798 entry->flags, HCI_SCODATA_PKT, data,
799 data_len);
800 break;
801 case BCM4377_XFER_RING_ACL_D2H:
802 bcm4377_handle_event(bcm4377, &bcm4377->acl_d2h_ring, msg_id,
803 entry->flags, HCI_ACLDATA_PKT, data,
804 data_len);
805 break;
806
807 default:
808 dev_warn(
809 &bcm4377->pdev->dev,
810 "entry in completion ring %d for unknown transfer ring %d with msg_id %d\n",
811 ring->ring_id, transfer_ring, msg_id);
812 }
813 }
814
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-21 15:51 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
2026-04-17 12:55 ` Neal Gompa
2026-04-20 20:37 ` Luiz Augusto von Dentz
2026-04-21 14:36 ` kernel test robot
2026-04-21 15:50 ` kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox