MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-12-22 18:47:06 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
d5dc97879a
linux-yocto/net/bluetooth
History
Pauli Virtanen 5c19daa93d Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete 
commit e8785404de upstream.

There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to
memcpy from badly declared on-stack flexible array.

Another crash is in set_mesh_complete() due to double list_del via
mgmt_pending_valid + mgmt_pending_remove.

Use DEFINE_FLEX to declare the flexible array right, and don't memcpy
outside bounds.

As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free,
and also report status on error.

Fixes: 302a1f674c ("Bluetooth: MGMT: Fix possible UAFs")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-11-24 10:36:08 +01:00
..
bnep
cmtp
hidp
rfcomm Bluetooth: rfcomm: fix modem control handling 2025-11-13 15:33:55 -05:00
6lowpan.c Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions 2025-11-24 10:35:50 +01:00
af_bluetooth.c
aosp.c
aosp.h
coredump.c
ecdh_helper.c
ecdh_helper.h
eir.c
eir.h
hci_codec.c
hci_codec.h
hci_conn.c
hci_core.c
hci_debugfs.c
hci_debugfs.h
hci_event.c Bluetooth: hci_event: validate skb length for unknown CC opcode 2025-11-13 15:34:36 -05:00
hci_sock.c
hci_sync.c Bluetooth: hci_core: Fix tracking of periodic advertisement 2025-11-13 15:33:58 -05:00
hci_sysfs.c
iso.c Bluetooth: ISO: Fix another instance of dst_type handling 2025-11-13 15:33:58 -05:00
Kconfig
l2cap_core.c Bluetooth: L2CAP: export l2cap_chan_hold for modules 2025-11-24 10:35:53 +01:00
l2cap_sock.c
leds.c
leds.h
lib.c
Makefile
mgmt_config.c
mgmt_config.h
mgmt_util.c Bluetooth: MGMT: Fix possible UAFs 2025-11-24 10:35:56 +01:00
mgmt_util.h Bluetooth: MGMT: Fix possible UAFs 2025-11-24 10:35:56 +01:00
mgmt.c Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete 2025-11-24 10:36:08 +01:00
msft.c
msft.h
sco.c Bluetooth: SCO: Fix UAF on sco_conn_free 2025-11-13 15:34:31 -05:00
selftest.c
selftest.h
smp.c
smp.h