From: Paul Menzel <pmenzel@molgen.mpg.de>
To: Seungjin Bae <eeodqql09@gmail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>,
Kyungtae Kim <Kyungtae.Kim@dartmouth.edu>,
Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
linux-kernel@vger.kernel.org, linux-bluetooth@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH v2] Bluetooth: bfusb: Fix buffer over-read in rx processing loop
Date: Wed, 8 Oct 2025 05:51:52 +0200 [thread overview]
Message-ID: <77bde79f-2080-4e40-a013-52b480c0928c@molgen.mpg.de> (raw)
In-Reply-To: <20251008015640.3745834-2-eeodqql09@gmail.com>
Dear Seungjin,
Thank you for the patch.
Am 08.10.25 um 03:56 schrieb pip-izony:
> From: Seungjin Bae <eeodqql09@gmail.com>
>
> The bfusb_rx_complete() function parses incoming URB data in while loop.
… in *a* while loop.
> The logic does not sufficiently validate the remaining buffer size(count)
> accross loop iterations, which can lead to a buffer over-read.
across
> For example, with 4-bytes remaining buffer, if the first iteration takes
> the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
> only 2-bytes remain, but the else branch is trying to access the third
> byte(buf[2]). This causes an out-of-bounds read and a potential kernel panic.
Please re-flow for 75 characters per line.
> This patch fixes the vulnerability by adding checks to ensure enough
> data remains in the buffer before it is accessed.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
> ---
> v1 -> v2: Fixing the error function name
>
> drivers/bluetooth/bfusb.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
> index 8df310983bf6..45f4ec5b6860 100644
> --- a/drivers/bluetooth/bfusb.c
> +++ b/drivers/bluetooth/bfusb.c
> @@ -360,6 +360,10 @@ static void bfusb_rx_complete(struct urb *urb)
> count -= 2;
> buf += 2;
> } else {
> + if (count < 3) {
> + bt_dev_err(data->hdev, "block header is too short");
Please print count and 3.
> + break;
> + }
Please use tabs for alignment. `scripts/checkpatch.pl` should have
warned about this.
> len = (buf[2] == 0) ? 256 : buf[2];
> count -= 3;
> buf += 3;
Kind regards,
Paul
next prev parent reply other threads:[~2025-10-08 3:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-07 23:29 [PATCH] Bluetooth: bfusb: Fix buffer over-read in rx processing loop pip-izony
2025-10-08 1:56 ` [PATCH v2] " pip-izony
2025-10-08 3:51 ` Paul Menzel [this message]
2025-10-08 4:58 ` [PATCH] " Greg KH
2025-10-09 8:46 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=77bde79f-2080-4e40-a013-52b480c0928c@molgen.mpg.de \
--to=pmenzel@molgen.mpg.de \
--cc=Kyungtae.Kim@dartmouth.edu \
--cc=eeodqql09@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox