From nobody Sat Feb 7 20:47:41 2026 Received: from mail-qk1-f177.google.com (mail-qk1-f177.google.com [209.85.222.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 47F9824679A for ; Tue, 7 Oct 2025 23:38:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759880282; cv=none; b=d7mUK4ptP2HXvwtjA0XaAPX+Znnj4K3OO8sT+jJtQy6XKzN4itpVKnK+oCEwFI27bUpZidoFkrgwVQS6YwoZjjBzwxiQw8/gnM9dz19JnC3sQDZNm7BcYEmzc4axBGqfeYn1ntKapwRRfeJpD5jyywA8/VNxJchz8+4qCziWjoY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759880282; c=relaxed/simple; bh=h26x29s20hjBJODDc+mltJ1rrKTeU+LcB6figctfTWU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=gJdcLCOlAHJPoJetxGdbYoLijKFT+/cseaX8d+dQPENryPKhr4ugVy/RWioBpjmfOW0IahZSYyLhlDyNRJprKsnIk+7Oj0UOfzsv0MSJC0NzsZr2DGRVfrDj2VSs3kATBK5OwVPh9GJN/5zVkKmwOlNqx4yIO40LgYTjSPcvMjg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=apz0RRnJ; arc=none smtp.client-ip=209.85.222.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="apz0RRnJ" Received: by mail-qk1-f177.google.com with SMTP id af79cd13be357-859b2ec0556so699960285a.0 for ; Tue, 07 Oct 2025 16:38:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759880279; x=1760485079; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=PLxpd9kbi54qSwlv5nU44o57YQdg6U4+ha5MoJ07Q4g=; b=apz0RRnJSR8eH+105kHOth9iqPn054UtK/j/Kz0qb1C+A1IxNURZiWDiBQq9WPJU2c z2aoWLdMkfiavHyiFwyfK4raSKoKq/pS2D2xThFJ+lbBfQgGIaoBvw6gccYiaj2dqrS4 caRFZKQ0tghyj+ksfiBJl5C4a7TBGhx14Ap+dBcb7aOnz98s03JTftf3oJhw/qceVp6s MuAOPe1yTpqSK2Ct7QEWZJdYJME33nqlGO8DLlC6txODjXlp5qJONCYLJXAAovReXBd9 lhO7YraHnFwcZERsVzn4myBG8HIPDWzGPTu9OPA7kN8OQj6aIbk829dzIeUzCcIYfp6O xnEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759880279; x=1760485079; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PLxpd9kbi54qSwlv5nU44o57YQdg6U4+ha5MoJ07Q4g=; b=djvkwBXNRLIsAQquGuNNfJLX7WAIXy+A0zTqrk00KuNQhtdWYbZAiLK6M3RfYsg149 dfoUsfMyxA80qFOLR3SUjwBleaY1/4ZSmnfqeugipjqNk7q7xXBdQFMwVgcgPTMC2uSb eAZsTpbvVriMzp00ezwvz/gJv+2TRGNo3U9X2PZZfJ346+AmLaMk3cGiKUW3A4v4uC6n GVURE7jqR0G9nhSaSmEbjvJIIrg3jKXYchlSF/g1XlurwdsSh+I45l50ooxhv4yR39jC zT+mfd1s0TzUDxS3PFWL1hXvJOpC15CsufGuOUBLlKAQgwwrfGGu6dJlHoQwB0O3Rv4S xA4A== X-Forwarded-Encrypted: i=1; AJvYcCVI19eTQc42/e29RECO+x8Nm0Tq6kq5unrHH1AlZnUSCrOJYaYX20XNOgpmEEs/pXNVoZmtqykQfr/LgSI=@vger.kernel.org X-Gm-Message-State: AOJu0YxQW/pfPn7+27zB998g7n9mchDNkmIjMGu/S4hA1nEx7akjmOkL /VTPx05I2hL6QnAy0W+NjCoHRz1FrRcYQHVcAkY0CzqmVRtvp7VLHvu2mHOpr1ek+Oo= X-Gm-Gg: ASbGncu5/TtAd4HXf+TNZYQjmLsI8P3B0ybB39zDPEm44fTCf0Om8TEdvkKPbMtDfC0 VbKcFDUmXB2d+H0q3Hp/m/Rxu7ydKmpAtWRjiB2JUIcuMvj/kOZ/P1nT2WUYuUznQEK67XQJ/k0 vMQqc7eA7e3XBHwlKOZ4mxl4kgCpE6mQAWoYaPkiRve9TE4bjdPLRgJz7ttht6H7VsXeF+kRtaQ Rjq1KrTl4K6F0gnOgJMhzHVcoexj+dxXdnrE431eakLaFnyNPB5OCJfUYVIm/Irr3LSMxvtLktF 3VuXmOHUF/7vjjGOQY6ORcaprLxIqRFQ5h2aGv7xvE44cRcfywNbtKi5u34Q4Lt7xzEXTI6xZtg P9SrbyEms35TBiwp5lBtc6/t0OIkKhXwqpiyp6OftsLcPbtW6NC5eveqyyWzvPul6n4Uc092GqP uoJxVOjmNCBNmkQDExKbi30OX65agq3so= X-Google-Smtp-Source: AGHT+IGWuoyjLBHTvXhdCeOdSV6cJByJ0Y01xALhTW3Q5DEdDg5DMyRj8M0bafbfIIx4igMJsj0h+Q== X-Received: by 2002:a05:620a:29d0:b0:826:a2b5:d531 with SMTP id af79cd13be357-88350a7881bmr266619585a.32.1759880279064; Tue, 07 Oct 2025 16:37:59 -0700 (PDT) Received: from mango-teamkim.. ([129.170.197.108]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87a0e9bd554sm14351366d6.32.2025.10.07.16.37.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Oct 2025 16:37:58 -0700 (PDT) From: pip-izony To: Marcel Holtmann Cc: Seungjin Bae , Kyungtae Kim , Luiz Augusto von Dentz , linux-kernel@vger.kernel.org, linux-bluetooth@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH] Bluetooth: bfusb: Fix buffer over-read in rx processing loop Date: Tue, 7 Oct 2025 19:29:42 -0400 Message-ID: <20251007232941.3742133-2-eeodqql09@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Seungjin Bae The bfusb_rx_complete() function parses incoming URB data in while loop. The logic does not sufficiently validate the remaining buffer size(count) accross loop iterations, which can lead to a buffer over-read. For example, with 4-bytes remaining buffer, if the first iteration takes the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration, only 2-bytes remain, but the else branch is trying to access the third byte(buf[2]). This causes an out-of-bounds read and a potential kernel pani= c. This patch fixes the vulnerability by adding checks to ensure enough data remains in the buffer before it is accessed. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Seungjin Bae --- drivers/bluetooth/bfusb.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c index 8df310983bf6..f17eae6dbd7d 100644 --- a/drivers/bluetooth/bfusb.c +++ b/drivers/bluetooth/bfusb.c @@ -360,6 +360,10 @@ static void bfusb_rx_complete(struct urb *urb) count -=3D 2; buf +=3D 2; } else { + if (count < 3) { + bf_dev_err(data->hdev, "block header is too short"); + break; + } len =3D (buf[2] =3D=3D 0) ? 256 : buf[2]; count -=3D 3; buf +=3D 3; --=20 2.43.0