From nobody Mon Jun 8 16:28:21 2026 Received: from mail-pj1-f67.google.com (mail-pj1-f67.google.com [209.85.216.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4394022652D for ; Thu, 28 May 2026 07:57:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.67 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779955029; cv=none; b=Q0MFwbnbxLvNBBQM7kA9MSOb921am9EL9E6XpHExNmbJMa+m0Bms0BMYPnAURHnpLLJF1sjlJVJVLz/pwc4km1vCAg8oFhXRzotih9RIHksUXp3hsQRt446svDkrshSazH2bdBufhZqbqzHVlVCagvEVkvkytwrsviuRDl1d++8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779955029; c=relaxed/simple; bh=oP8rIIoUzxg9hIZd2waDjppIEnI2BrHnfGO8z+KL5N8=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=Fvl5UGfwkUdy1DqszACK6C9HAUU3PWMQInXeSjhIzLE0NLOT1cffL7M+F/1585KJMP8+dU49LZnRf75Csy5dmAtaayXdVS9QNQpXsQSkD295sTkceAfLf2u9468hxqo9TtUCmGLjZqP3qKcvNE/vXHhpwAkYxv/AhMwTNtejZHw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DHYyzKTk; arc=none smtp.client-ip=209.85.216.67 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DHYyzKTk" Received: by mail-pj1-f67.google.com with SMTP id 98e67ed59e1d1-366be8040a9so5401703a91.3 for ; Thu, 28 May 2026 00:57:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779955027; x=1780559827; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=E0szyu0aLTYDrwsxxxTLCxZBA4Psj+By733/2324tjo=; b=DHYyzKTkhPEyK6s9S0lc4TUuWXa/8/oaATZ7fxfPBp97CzLF/QvYbPno/60MHPgGwx FE1A5vtAbIW5wEx3mp3hIelRY/O27SpZ9NcjWcLRMQQccp5+0ynSMl/4o9B+AedGA9/w l1qYKo+GKqYRYFtBVXlvGHAUqOfax4WxI3X+L3Plq2ICiF3lwTg4vGX10PaVdBaeHsCW 5E/v/VfSqhHMKfI0JHgoHnKudbGLSCXIFfdivf7CMKcJyVsQRmjd7SpvX24O43POsgmR ntMm4YFVIcg2nBElg1DnauDswrBqlyPxgndLjOjAX91AOkr3TqOXsCH2dSvVQf5+EsH1 XakA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779955027; x=1780559827; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=E0szyu0aLTYDrwsxxxTLCxZBA4Psj+By733/2324tjo=; b=jTblM6XF4jpQ9lzsQE9r7QiK34A8QnDqmhSEdDWsPA3rZFmJGCd5xebk3nvFTaNRlH wsjIy9selx+HieDMKU6gMP16KKMT7ME7NLTDnXtAF+ghabLyPDihUdYn2lKejlDG+ZLS bOtWkcTz7KSzkwNwqmOzQ2zEy8ZqQ98nkaNIWU5C8OmpeYJWuzdIjex07FL5IUiOHFnV 7/6JCU6FftcL1lv9h+pDksfM8biTYRX9CInOEpCh8fsHlOa4bq0+CFRANbXQhlgauswN a4k+MjurwgjhLzl1A0SpqnxbrfnSQdDzswSfFGysnCP77n1Yuzg9DyIWSULfmeGuSOBh Wkkw== X-Forwarded-Encrypted: i=1; AFNElJ+BP/zS0+h5WeRqpUKxS0BPuIb4uZs6ZyPQPIWgieqSxAWf8P/WRtt3ijj7mUpHBDT+EbCx3lwR3l0wl9c=@vger.kernel.org X-Gm-Message-State: AOJu0YxAzu5cBXKsSoUsdz9lkrSfPtEsDFWh/Jn1KDeUxqNBttyMhPI6 QmzHb6bGUN9QbQVBnUYxLMwDN/atH72bz1UF9VKjxE2F4NqQ2WT7dWWp X-Gm-Gg: Acq92OGszdMVPX3Nl9ezZlbkUVt1AVoUhbwK/19QjWAWE2dInLF7/f5hc5aSnYCJSK9 U/Ovc8PUAcopf3pYoLbeVn0VW+IRzxkbzDhzpuEM2htZqyb+cESjkCc9tcKV0T4xJ4eXUMfdFik qKoWymdeHGsOw6X3FLAu9z6QY7iDBFacZhe4vNT0m5nfB9CgUhhMqBcf/6GGXX9Fz+JaANPYVvA JlAa2yIGzPbzZII1KoAd+M4X0V9FZc+X7YqarNU0fxxIr1JOout+DV+9OEaEM7PcfwacoCquYbS Bl/a1lR+42aWtPNoVhF58NKZHQf+nT2JzwaBK5q5Gw0koXiGbdWcjXoG8V5UzG/48ku1j3ZCX5k uzNbCTEWFzYdPjXpzsu+QntdVpujU+4hC3cM2ltOlpgICbazaW06PIOGAf4KNIHYfkeKlFH3KMO Fj/VQxZsuJjn8llcreVu5AZvawv/fXbOljTtPTjglAHw== X-Received: by 2002:a17:903:2b0c:b0:2ae:825b:49a5 with SMTP id d9443c01a7336-2beb0582ba0mr266026775ad.0.1779955027507; Thu, 28 May 2026 00:57:07 -0700 (PDT) Received: from localhost ([111.228.63.84]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb5903bcasm182119355ad.77.2026.05.28.00.57.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 May 2026 00:57:06 -0700 (PDT) From: Zhang Cen To: Marcel Holtmann , Luiz Augusto von Dentz Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, zerocling0077@gmail.com, 2045gemini@gmail.com Subject: [PATCH v2] Bluetooth: MGMT: validate advertising TLV before type checks Date: Thu, 28 May 2026 15:57:01 +0800 Message-Id: <20260528075701.3417224-1-rollkingzzc@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" tlv_data_is_valid() reads each advertising data field length from data[i], then inspects data[i + 1] for managed EIR types before checking that the current field still fits inside the supplied buffer. A malformed field whose length byte is the last byte of the buffer can therefore make the parser read one byte past the advertising data. Move the existing element-length check before any type-octet inspection so each non-empty element is proven to contain its type byte before the parser looks at data[i + 1]. KASAN reported an out-of-bounds read in tlv_data_is_valid(), reached through add_advertising() and hci_mgmt_cmd(). Fixes: 2bb36870e8cb ("Bluetooth: Unify advertising instance flags check") Signed-off-by: Zhang Cen Reviewed-by: Paul Menzel --- v2: - Drop the MGMT_OP_ADD_EXT_ADV_DATA hunk; bluetooth-next already validates that command length. - Keep only the tlv_data_is_valid() element-ordering fix. - Add a Fixes tag and avoid the raw KASAN headline that triggered checkpatch. net/bluetooth/mgmt.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index de5bd6b637b20..027b266ccc747 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -8638,6 +8638,12 @@ static bool tlv_data_is_valid(struct hci_dev *hdev, = u32 adv_flags, u8 *data, if (!cur_len) continue; =20 + /* If the current field length would exceed the total data + * length, then it's invalid. + */ + if (i + cur_len >=3D len) + return false; + if (data[i + 1] =3D=3D EIR_FLAGS && (!is_adv_data || flags_managed(adv_flags))) return false; @@ -8654,12 +8660,6 @@ static bool tlv_data_is_valid(struct hci_dev *hdev, = u32 adv_flags, u8 *data, if (data[i + 1] =3D=3D EIR_APPEARANCE && appearance_managed(adv_flags)) return false; - - /* If the current field length would exceed the total data - * length, then it's invalid. - */ - if (i + cur_len >=3D len) - return false; } =20 return true; --=20 2.43.0