1. Patchew
  2. linux
  3. View series

[PATCH v3] Bluetooth: bfusb: Fix buffer over-read in rx processing loop

pip-izony posted 1 patch 2 months, 1 week ago
There is a newer version of this series
drivers/bluetooth/bfusb.c | 6 ++++++
1 file changed, 6 insertions(+)
[PATCH v3] Bluetooth: bfusb: Fix buffer over-read in rx processing loop
Posted by pip-izony 2 months, 1 week ago 
From: Seungjin Bae <eeodqql09@gmail.com>

The bfusb_rx_complete() function parses incoming URB data in a while loop.
The logic does not sufficiently validate the remaining buffer size(count)
across loop iterations, which can lead to a buffer over-read.

For example, with 4-bytes remaining buffer, if the first iteration takes
the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
only 2-bytes remain, but the else branch is trying to access the third
byte(buf[2]). This causes an out-of-bounds read and a potential kernel
panic.

This patch fixes the vulnerability by adding checks to ensure enough
data remains in the buffer before it is accessed.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
 v1 -> v2: Fixing the error function name
 v2 -> v3: Addressing feedback from Paul Menzel

 drivers/bluetooth/bfusb.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
index 8df310983bf6..90ca5ab2acc3 100644
--- a/drivers/bluetooth/bfusb.c
+++ b/drivers/bluetooth/bfusb.c
@@ -360,6 +360,12 @@ static void bfusb_rx_complete(struct urb *urb)
 			count -= 2;
 			buf   += 2;
 		} else {
+			if (count < 3) {
+				bt_dev_err(data->hdev,
+				       "block header is too short (count=%d, expected=3)",
+				       count);
+				break;
+			}
 			len = (buf[2] == 0) ? 256 : buf[2];
 			count -= 3;
 			buf   += 3;
-- 
2.43.0
Re: [PATCH v3] Bluetooth: bfusb: Fix buffer over-read in rx processing loop
Posted by Paul Menzel 2 months, 1 week ago 
Dear Seungjin,


Thank you for the patch.

Am 09.10.25 um 04:57 schrieb pip-izony:
> From: Seungjin Bae <eeodqql09@gmail.com>
> 
> The bfusb_rx_complete() function parses incoming URB data in a while loop.
> The logic does not sufficiently validate the remaining buffer size(count)
> across loop iterations, which can lead to a buffer over-read.
> 
> For example, with 4-bytes remaining buffer, if the first iteration takes
> the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
> only 2-bytes remain, but the else branch is trying to access the third
> byte(buf[2]). This causes an out-of-bounds read and a potential kernel
> panic.
> 
> This patch fixes the vulnerability by adding checks to ensure enough
> data remains in the buffer before it is accessed.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
> ---
>   v1 -> v2: Fixing the error function name
>   v2 -> v3: Addressing feedback from Paul Menzel
> 
>   drivers/bluetooth/bfusb.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
> index 8df310983bf6..90ca5ab2acc3 100644
> --- a/drivers/bluetooth/bfusb.c
> +++ b/drivers/bluetooth/bfusb.c
> @@ -360,6 +360,12 @@ static void bfusb_rx_complete(struct urb *urb)
>   			count -= 2;
>   			buf   += 2;
>   		} else {
> +			if (count < 3) {
> +				bt_dev_err(data->hdev,
> +				       "block header is too short (count=%d, expected=3)",

Why not: block header count %d < 3 (too short)

> +				       count);
> +				break;
> +			}
>   			len = (buf[2] == 0) ? 256 : buf[2];
>   			count -= 3;
>   			buf   += 3;

Either way:

Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>


Kind regards,

Paul
[PATCH v4] Bluetooth: bfusb: Fix buffer over-read in rx processing loop
Posted by pip-izony 2 months, 1 week ago 
From: Seungjin Bae <eeodqql09@gmail.com>

The bfusb_rx_complete() function parses incoming URB data in a while loop.
The logic does not sufficiently validate the remaining buffer size(count)
across loop iterations, which can lead to a buffer over-read.

For example, with 4-bytes remaining buffer, if the first iteration takes
the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
only 2-bytes remain, but the else branch is trying to access the third
byte(buf[2]). This causes an out-of-bounds read and a potential kernel
panic.

This patch fixes the vulnerability by adding checks to ensure enough
data remains in the buffer before it is accessed.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
  v1 -> v2: Fixing the error function name
  v2 -> v3: Addressing feedback from Paul Menzel
  v3 -> v4: Improving the error message for the block header count

 drivers/bluetooth/bfusb.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
index 8df310983bf6..02ba16775004 100644
--- a/drivers/bluetooth/bfusb.c
+++ b/drivers/bluetooth/bfusb.c
@@ -360,6 +360,11 @@ static void bfusb_rx_complete(struct urb *urb)
 			count -= 2;
 			buf   += 2;
 		} else {
+			if (count < 3) {
+				bt_dev_err(data->hdev, "block header count %d < 3 (too short)",
+					   count);
+				break;
+			}
 			len = (buf[2] == 0) ? 256 : buf[2];
 			count -= 3;
 			buf   += 3;
-- 
2.43.0
Re: [PATCH v4] Bluetooth: bfusb: Fix buffer over-read in rx processing loop
Posted by Luiz Augusto von Dentz 2 months, 1 week ago 
Hi Pip-Izony,

On Thu, Oct 9, 2025 at 12:51 PM pip-izony <eeodqql09@gmail.com> wrote:
>
> From: Seungjin Bae <eeodqql09@gmail.com>
>
> The bfusb_rx_complete() function parses incoming URB data in a while loop.
> The logic does not sufficiently validate the remaining buffer size(count)
> across loop iterations, which can lead to a buffer over-read.
>
> For example, with 4-bytes remaining buffer, if the first iteration takes
> the `hdr & 0x4000` branch, 2-bytes are consumed. On the next iteration,
> only 2-bytes remain, but the else branch is trying to access the third
> byte(buf[2]). This causes an out-of-bounds read and a potential kernel
> panic.
>
> This patch fixes the vulnerability by adding checks to ensure enough
> data remains in the buffer before it is accessed.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>

This is sort of useless if you ask me, this driver is never used in
practice, and even in case someone still have the only model it
handles  USB_DEVICE(0x057c, 0x2200) I bet it would have been easier to
just add it to btusb since it appears to be using the standard class
as well.

> ---
>   v1 -> v2: Fixing the error function name
>   v2 -> v3: Addressing feedback from Paul Menzel
>   v3 -> v4: Improving the error message for the block header count
>
>  drivers/bluetooth/bfusb.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
> index 8df310983bf6..02ba16775004 100644
> --- a/drivers/bluetooth/bfusb.c
> +++ b/drivers/bluetooth/bfusb.c
> @@ -360,6 +360,11 @@ static void bfusb_rx_complete(struct urb *urb)
>                         count -= 2;
>                         buf   += 2;
>                 } else {
> +                       if (count < 3) {
> +                               bt_dev_err(data->hdev, "block header count %d < 3 (too short)",
> +                                          count);
> +                               break;
> +                       }
>                         len = (buf[2] == 0) ? 256 : buf[2];
>                         count -= 3;
>                         buf   += 3;
> --
> 2.43.0
>


-- 
Luiz Augusto von Dentz

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.