[Linux-kernel-mentees] [PATCH v2] net/bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()

Greg KH gregkh at linuxfoundation.org
Fri Jul 10 10:43:06 UTC 2020


On Thu, Jul 09, 2020 at 09:02:24AM -0400, Peilin Ye wrote:
> Check upon `num_rsp` is insufficient. A malformed event packet with a
> large `num_rsp` number makes hci_extended_inquiry_result_evt() go out
> of bounds. Fix it.
> 
> This patch fixes the following syzbot bug:
> 
>     https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2
> 
> Reported-by: syzbot+d8489a79b781849b9c46 at syzkaller.appspotmail.com
> Signed-off-by: Peilin Ye <yepeilin.cs at gmail.com>

Acked-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>

Bluetooth maintainers, can you also add a cc: stable on this so it gets
picked up properly there?

thanks,

greg k-h


More information about the Linux-kernel-mentees mailing list