Skip to content

[PW_SID:1082469] [v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring#99

Open
BluezTestBot wants to merge 1 commit intoworkflowfrom
1082469
Open

[PW_SID:1082469] [v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring#99
BluezTestBot wants to merge 1 commit intoworkflowfrom
1082469

Conversation

@BluezTestBot
Copy link
Copy Markdown

@BluezTestBot BluezTestBot commented Apr 17, 2026

From: Tristan Madani tristan@talencesecurity.com

The firmware-controlled entry->len is used as the memcpy size for inline
payload data without bounds checking when the PAYLOAD_MAPPED flag is not
set. This causes out-of-bounds reads from the completion ring DMA memory
for the HCI_D2H and SCO_D2H transfer rings.

Add a length validation against the completion ring payload_size.

Fixes: 8a06127 ("Bluetooth: hci_bcm4377: Add new driver for BCM4377 PCIe boards")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani tristan@talencesecurity.com

drivers/bluetooth/hci_bcm4377.c | 7 +++++++
1 file changed, 7 insertions(+)

@Vudentz
Bluetooth: hci_bcm4377: validate firmware event length in completion …
3b0c654 
…ring

The firmware-controlled entry->len is used as the memcpy size for inline
payload data without bounds checking when the PAYLOAD_MAPPED flag is not
set. This causes out-of-bounds reads from the completion ring DMA memory
for the HCI_D2H and SCO_D2H transfer rings.

Add a length validation against the completion ring payload_size.

Fixes: 8a06127 ("Bluetooth: hci_bcm4377: Add new driver for BCM4377 PCIe boards")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 17, 2026

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.74 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 17, 2026

GitLint
Desc: Run gitlint
Duration: 0.34 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 17, 2026

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.13 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 17, 2026

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 27.35 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 17, 2026

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 29.94 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 17, 2026

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 29.01 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 17, 2026

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 26.57 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 17, 2026

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 588.93 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 17, 2026

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 26.60 seconds
Result: PASS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area:drivers

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BluezTestBot