[PW_SID:1092077] Bluetooth: mgmt: validate advertising TLV envelopes before parsing by BluezTestBot · Pull Request #159 · bluez/bluetooth-next

BluezTestBot · 2026-05-09T18:04:11Z

tlv_data_is_valid() loads the field length from data[i] and then inspects
data[i + 1] for managed EIR types before it proves that the element still
fits inside the supplied advertising buffer.

Move the existing per-element length check ahead of the type-byte tests so
every non-empty element is proven to fit before data[i + 1] is read.

Also reject MGMT_OP_ADD_EXT_ADV_DATA commands whose declared advertising
and scan-response lengths do not match the trailing command payload.
Unlike MGMT_OP_ADD_ADVERTISING, that path did not validate the outer
envelope before slicing cp->data for tlv_data_is_valid().

Sanitizer validation reported:
BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid()
Read of size 1 at addr ffffc9000031a000
Call trace:
dump_stack_lvl() (?:?)
print_address_description() (mm/kasan/report.c:373)
tlv_data_is_valid() (net/bluetooth/mgmt.c:8623)
print_report() (?:?)
srso_alias_return_thunk() (arch/x86/include/asm/nospec-branch.h:375)
kasan_addr_to_slab() (mm/kasan/common.c:45)
kasan_report() (?:?)
add_advertising() (net/bluetooth/mgmt.c:8751)
__entry_text_end() (?:?)
__hci_dev_get() (net/bluetooth/hci_core.c:67)
do_raw_read_unlock() (kernel/locking/spinlock_debug.c:178)
_raw_read_unlock() (kernel/locking/spinlock.c:262)
hci_mgmt_cmd() (net/bluetooth/hci_sock.c:1619)
hci_sock_sendmsg() (net/bluetooth/hci_sock.c:1800)
sock_write_iter() (net/socket.c:1234)
reacquire_held_locks() (kernel/locking/lockdep.c:5375)
security_file_permission() (?:?)
vfs_write() (fs/read_write.c:668)
__sys_bind() (net/socket.c:1947)
ksys_write() (fs/read_write.c:729)
rcu_is_watching() (?:?)
do_syscall_64() (arch/x86/entry/syscall_64.c:87)
entry_SYSCALL_64_after_hwframe() (?:?)

Signed-off-by: Zhang Cen rollkingzzc@gmail.com

This patch adds workflow files for ci: [sync.yml] - The workflow file for scheduled work - Sync the repo with upstream repo and rebase the workflow branch - Review the patches in the patchwork and creates the PR if needed [ci.yml] - The workflow file for CI tasks - Run CI tests when PR is created Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>

This replaces the bzcafe action with bluez/action-ci so we can maintain everything in the github bluez organization Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This attempts to sync every 5 minutes instead of 30. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

bluez/action-ci uses master as default branch for workflow which is incorrect for kernel Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

The CI action now creates individual GitHub Check Runs per test, which requires 'checks: write' permission on the GITHUB_TOKEN. Also make the pull_request trigger types explicit to include 'reopened', allowing CI to be retriggered by closing and reopening a PR.

tlv_data_is_valid() loads the field length from data[i] and then inspects data[i + 1] for managed EIR types before it proves that the element still fits inside the supplied advertising buffer. Move the existing per-element length check ahead of the type-byte tests so every non-empty element is proven to fit before data[i + 1] is read. Also reject MGMT_OP_ADD_EXT_ADV_DATA commands whose declared advertising and scan-response lengths do not match the trailing command payload. Unlike MGMT_OP_ADD_ADVERTISING, that path did not validate the outer envelope before slicing cp->data for tlv_data_is_valid(). Sanitizer validation reported: BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid() Read of size 1 at addr ffffc9000031a000 Call trace: dump_stack_lvl() (?:?) print_address_description() (mm/kasan/report.c:373) tlv_data_is_valid() (net/bluetooth/mgmt.c:8623) print_report() (?:?) srso_alias_return_thunk() (arch/x86/include/asm/nospec-branch.h:375) kasan_addr_to_slab() (mm/kasan/common.c:45) kasan_report() (?:?) add_advertising() (net/bluetooth/mgmt.c:8751) __entry_text_end() (?:?) __hci_dev_get() (net/bluetooth/hci_core.c:67) do_raw_read_unlock() (kernel/locking/spinlock_debug.c:178) _raw_read_unlock() (kernel/locking/spinlock.c:262) hci_mgmt_cmd() (net/bluetooth/hci_sock.c:1619) hci_sock_sendmsg() (net/bluetooth/hci_sock.c:1800) sock_write_iter() (net/socket.c:1234) reacquire_held_locks() (kernel/locking/lockdep.c:5375) security_file_permission() (?:?) vfs_write() (fs/read_write.c:668) __sys_bind() (net/socket.c:1947) ksys_write() (fs/read_write.c:729) rcu_is_watching() (?:?) do_syscall_64() (arch/x86/entry/syscall_64.c:87) entry_SYSCALL_64_after_hwframe() (?:?) Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>

github-actions · 2026-05-09T18:15:21Z

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.60 seconds
Result: FAIL
Output:

Bluetooth: mgmt: validate advertising TLV envelopes before parsing
WARNING: The commit message has 'BUG: KASAN: ', perhaps it also needs a 'Fixes:' tag?

total: 0 errors, 1 warnings, 0 checks, 34 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/patch/14563149.patch has style problems, please review.

NOTE: Ignored message types: UNKNOWN_COMMIT_ID

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

github-actions · 2026-05-09T18:15:23Z

GitLint
Desc: Run gitlint
Duration: 0.27 seconds
Result: PASS

github-actions · 2026-05-09T18:15:24Z

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.11 seconds
Result: PASS

github-actions · 2026-05-09T18:15:48Z

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 19.18 seconds
Result: PASS

github-actions · 2026-05-09T18:16:14Z

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 21.24 seconds
Result: PASS

github-actions · 2026-05-09T18:16:39Z

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 20.64 seconds
Result: PASS

github-actions · 2026-05-09T18:17:03Z

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 19.26 seconds
Result: PASS

github-actions · 2026-05-09T18:23:49Z

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 404.83 seconds
Result: PASS

github-actions · 2026-05-09T18:57:19Z

TestRunner_mgmt-tester
Desc: Run mgmt-tester with test-runner
Duration: 2008.13 seconds
Result: PASS

github-actions · 2026-05-09T18:58:15Z

TestRunner_mesh-tester
Desc: Run mesh-tester with test-runner
Duration: 55.00 seconds
Result: PASS

github-actions · 2026-05-09T18:58:39Z

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 19.11 seconds
Result: PASS

tedd-an and others added 6 commits May 6, 2026 20:37

workflows: Make use bluez/action-ci action

1c0da8f

This replaces the bzcafe action with bluez/action-ci so we can maintain everything in the github bluez organization Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

workflow/sync: Attempt to sync every 5 minutes

891598a

This attempts to sync every 5 minutes instead of 30. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

workflow/sync: Set workflow to use worflow branch

4638e9d

bluez/action-ci uses master as default branch for workflow which is incorrect for kernel Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

github-actions Bot added the area:mgmt label May 9, 2026

github-actions Bot force-pushed the workflow branch 2 times, most recently from 5c3256e to 75a1a12 Compare May 11, 2026 20:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[PW_SID:1092077] Bluetooth: mgmt: validate advertising TLV envelopes before parsing#159

[PW_SID:1092077] Bluetooth: mgmt: validate advertising TLV envelopes before parsing#159
BluezTestBot wants to merge 6 commits into
workflowfrom
1092077

BluezTestBot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

BluezTestBot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants