From nobody Tue Apr 7 06:21:32 2026 Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B6F1926A1B9 for ; Sun, 15 Mar 2026 13:14:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773580499; cv=none; b=nfbxNAFhrFsmFck0gBn7C5Qsor0XsIzuuWShE5Ze67F/cCk3fxw8DnsTkuD7NdVSL5IRA6cXqtOhL258svHDl2/3BwjMuxvv4a8CgR1uOIR+srPYlZTNmT39SXv9wfIc4ocAK1uiRjtl8Gt1JXb9vBXJNYF74jGx/UtrNFzE4UM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773580499; c=relaxed/simple; bh=8cUuvbZj++AJsEUiZ1HtndOh9crxjzg6h035+lV8chQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=jxCU9pGUE9jFaFwyHf8FcTOmLcImO99sy1LYCalNtIhUO4od1CnPFRjGonzMFxXJ21RqbQWCKexSdeK3TVRycWfI69N6aYsh9b3DKADvvIJ4k3a3ppdKTXBTn7KkLwqpOXuMC525t4FBY/EQDr66dWpFLcWMBoErdhjRC27Blvc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Q0vVM+jB; arc=none smtp.client-ip=209.85.214.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Q0vVM+jB" Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-2ae82df847bso28947025ad.2 for ; Sun, 15 Mar 2026 06:14:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773580498; x=1774185298; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=I46N/58QdGpHKOmGew5o9rG95aF1afVdvwtVEFsZfWE=; b=Q0vVM+jBfPsAMGqR0Isr1tDmzAtXZdRUZx30xw6Gg5jKwyDpYdiuBDRenzZyBIq5o7 SfRZ3tuan4v/Vlv+Bb9XKQUXrD/1wFlFwbCzkgYQKfFm4W61pnMg83reca2xFHv6TrwD WgEXiOzidmzDcKanVpJrY4pK0C6YPI5qeZlOvu4JWX90KGk5sVmwqGAyGccHqjJZhlgq AZ9KM/hzmlDGLgLTbCuKOZyNpjFPPJVniOk3xDeFDc/ZW8lSuk6AOVZn+6OuDLxzjvSC /NC8pxi338eQgdLYgNiNbPcV/rBLMkIxK0Wn6Er2rAFInjGwYjHIJQ4YiW+ziGwh9zG8 q2eA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773580498; x=1774185298; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=I46N/58QdGpHKOmGew5o9rG95aF1afVdvwtVEFsZfWE=; b=BnWFocRmr2XOYqBP+N6N2tKD+UWnIVjFG0fDaLqRUHbxA3Xu+t2Kv560rIyDP2FOS3 972m/K6KPrak9fq9g8BuH2q3Z9/Xs4n5N4p5kBOSPwFZws5NJSuQcJYOuMk+d3T2kZrm JmEf6Av5smZpYcUJ6zYmRGQQFY828UYr4ni/dvaKrvxo62pHT3ezbnz92olm1geZsi76 KOqbVGrBZzjaYQRUYWD5hFIRTL9cQLrTmjRhaUiI+98VAYmpAGQfR/c3NUYTnUBjbK7t CnfaXLqgZaEkrs6Ua8VKiWr6QrAoG8wq+2oR9HITKZo4mgda8MoEHBpOf+cPJb06dQfW HM8w== X-Forwarded-Encrypted: i=1; AJvYcCWw84+VNRh4b9KQ6vJ562sm/9GJky7rVYRY1GcGJXnrDm+jO9DAi9d/mQE/TahmkLItYg3Xd5UV/FOGsWc=@vger.kernel.org X-Gm-Message-State: AOJu0YyocAfIZ4CaissOooOzKCGbAW5kDEK/PnTArrx4tdi3JtH0ejPM aglwFv4EbJ/uELiY6Uyqx3wjbW//SCtBbqHaEbwApKLQWuw1vLKyS0Eq X-Gm-Gg: ATEYQzzZHckpcHutecLxb9fOiPhu8dsZ8Qj+ZojkQXvf/WbRACttx92p3v8DnRsT+JO zKClTFxS7ZZqdCMKTzhfhI7gwRkLohf6TznKIHIN0MSqP8tAeN07ZzGnMDWgs1IinQrVD7Y5eFm LgA0auiiBDAYuTxLYnOMcGgaxkWwCfiDBY++asUiQJQfZKM4hjU8zeRWqnBG3a3FhETsvzpef0y AVVwKBOZE4pI55OMs9Q9UZ10dhr/0kiZeisiba98dfxIq9enqNrx/hvRYJ31xp39Y4xhFsLBqiP 7CM26Ihy6xHT2hdvD1GG3aOkGP0XGt7lgzHhs9QHJJVHj6ZM2/l7yErB8q9+dIhjemfAB/ytSZj AP20rdmWvBrs6L+Ww1vh4hAt2SmDKWENXUY0hoXmReLbJVYD0h7IpqS/WQpbHd+SddOELHNC2h+ N5DpGzcLTsCfBJbl/2yFwcXS1ykaK7MuLttQ4vvHfvCn4= X-Received: by 2002:a17:902:e852:b0:2ae:be67:7231 with SMTP id d9443c01a7336-2aecaa4e319mr101641865ad.25.1773580498066; Sun, 15 Mar 2026 06:14:58 -0700 (PDT) Received: from localhost.localdomain ([122.34.38.134]) by smtp.googlemail.com with ESMTPSA id d9443c01a7336-2aece5c0f7asm80321555ad.22.2026.03.15.06.14.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 15 Mar 2026 06:14:57 -0700 (PDT) From: Minseo Park To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+b7f3e7d9a596bf6a63e3@syzkaller.appspotmail.com, Minseo Park Subject: [PATCH] Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req Date: Sun, 15 Mar 2026 22:14:37 +0900 Message-ID: <20260315131437.10890-1-jacob.park.9436@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd() that is triggered by a malformed Enhanced Credit Based Connection Request. The vulnerability stems from l2cap_ecred_conn_req(). The function allocates a local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more than 5 SCIDs, the function calculates `rsp_len` based on this unvalidated `cmd_len` before checking if the number of SCIDs exceeds L2CAP_ECRED_MAX_CID. If the SCID count is too high, the function correctly jumps to the `response` label to reject the packet, but `rsp_len` retains the attacker's oversized value. Consequently, l2cap_send_cmd() is instructed to read past the end of the 18-byte `pdu` buffer, triggering a KASAN panic. Fix this by moving the assignment of `rsp_len` to after the `num_scid` boundary check. If the packet is rejected, `rsp_len` will safely remain 0, and the error response will only read the 8-byte base header from the stack. Fixes: c28d2bff7044 ("Bluetooth: L2CAP: Fix result of L2CAP_ECRED_CONN_RSP = when MTU is too short") Reported-by: syzbot+b7f3e7d9a596bf6a63e3@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Db7f3e7d9a596bf6a63e3 Tested-by: syzbot+b7f3e7d9a596bf6a63e3@syzkaller.appspotmail.com Signed-off-by: Minseo Park --- net/bluetooth/l2cap_core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index ad98db9632fd..abd091155d04 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -5075,14 +5075,14 @@ static inline int l2cap_ecred_conn_req(struct l2cap= _conn *conn, cmd_len -=3D sizeof(*req); num_scid =3D cmd_len / sizeof(u16); =20 - /* Always respond with the same number of scids as in the request */ - rsp_len =3D cmd_len; - if (num_scid > L2CAP_ECRED_MAX_CID) { result =3D L2CAP_CR_LE_INVALID_PARAMS; goto response; } =20 + /* Always respond with the same number of scids as in the request */ + rsp_len =3D cmd_len; + mtu =3D __le16_to_cpu(req->mtu); mps =3D __le16_to_cpu(req->mps); =20 --=20 2.43.0