averello/linux-stable-mirror
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2026-04-03 12:05:13 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
dfd7e631a708ef300cc00da23f0e35c1fdbfe593
linux-stable-mirror/include/net
History
Ilia Gavrilov 4b7d4aa539 Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() 
commit 8d59fba493 upstream.

In the parse_adv_monitor_pattern() function, the value of
the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).
The size of the 'value' array in the mgmt_adv_pattern structure is 31.
If the value of 'pattern[i].length' is set in the user space
and exceeds 31, the 'patterns[i].value' array can be accessed
out of bound when copied.

Increasing the size of the 'value' array in
the 'mgmt_adv_pattern' structure will break the userspace.
Considering this, and to avoid OOB access revert the limits for 'offset'
and 'length' back to the value of HCI_MAX_AD_LENGTH.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.

Fixes: db08722fc7 ("Bluetooth: hci_core: Fix missing instances using HCI_MAX_AD_LENGTH")
Cc: stable@vger.kernel.org
Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-11-13 15:34:39 -05:00
..
9p
bluetooth
Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
2025-11-13 15:34:39 -05:00
caif
net: Correct spelling in headers
2024-08-26 09:37:23 -07:00
iucv
libeth
libeth: add Tx buffer completion helpers
2024-09-09 13:15:37 -07:00
mana
net: mana: Support holes in device list reply msg
2025-03-28 22:03:28 +01:00
netfilter
netfilter: nf_tables: make nft_set_do_lookup available unconditionally
2025-09-19 16:35:50 +02:00
netns
netfilter: nf_tables: place base_seq in struct net
2025-09-19 16:35:50 +02:00
nfc
net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms
2025-11-13 15:34:18 -05:00
page_pool
page_pool: Track DMA-mapped pages and unmap them when destroying the pool
2025-06-19 15:31:42 +02:00
phonet
sctp
sctp: detect and prevent references to a freed transport in sendmsg
2025-04-20 10:15:50 +02:00
tc_act
net_sched: act_ctinfo: use atomic64_t for three counters
2025-08-15 12:13:43 +02:00
6lowpan.h
act_api.h
addrconf.h
net: Correct spelling in headers
2024-08-26 09:37:23 -07:00
af_ieee802154.h
af_rxrpc.h
af_unix.h
af_vsock.h
vsock: fix vsock_proto declaration
2025-07-17 18:37:05 +02:00
ah.h
amt.h
arp.h
atmclip.h
ax25.h
ax25: rcu protect dev->ax25_ptr
2025-02-08 09:57:10 +01:00
ax88796.h
bareudp.h
bond_3ad.h
bonding: update LACP activity flag after setting lacp_active
2025-08-28 16:31:15 +02:00
bond_alb.h
bond_options.h
bonding: add ns target multicast address to slave device
2024-11-14 11:16:28 +01:00
bonding.h
bonding: check xdp prog when set bond mode
2025-11-02 22:15:22 +09:00
bpf_sk_storage.h
busy_poll.h
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-08-29 11:49:10 -07:00
calipso.h
move asm/unaligned.h to linux/unaligned.h
2024-10-02 17:23:23 -04:00
cfg80211-wext.h
cfg80211.h
wifi: cfg80211: Fix interface type validation
2025-08-20 18:30:31 +02:00
cfg802154.h
checksum.h
net: Fix checksum update for ILA adj-transport
2025-06-27 11:11:40 +01:00
cipso_ipv4.h
move asm/unaligned.h to linux/unaligned.h
2024-10-02 17:23:23 -04:00
cls_cgroup.h
net/cls_cgroup: Fix task_get_classid() during qdisc run
2025-11-13 15:34:24 -05:00
codel_impl.h
codel_qdisc.h
codel.h
compat.h
datalink.h
dcbevent.h
dcbnl.h
devlink.h
dropreason-core.h
net: vxlan: rename SKB_DROP_REASON_VXLAN_NO_REMOTE
2025-09-09 18:58:11 +02:00
dropreason.h
dsa_stubs.h
dsa.h
net: dsa: provide implementation of .support_eee()
2025-09-09 18:58:19 +02:00
dscp.h
dsfield.h
dst_cache.h
net: Correct spelling in headers
2024-08-26 09:37:23 -07:00
dst_metadata.h
dst_ops.h
dst.h
net: Add locking to protect skb->dev access in ip_output
2025-10-23 16:20:45 +02:00
eee.h
erspan.h
net: Correct spelling in headers
2024-08-26 09:37:23 -07:00
esp.h
espintcp.h
ethoc.h
failover.h
fib_notifier.h
fib_rules.h
firewire.h
flow_dissector.h
flow_offload.h
flow.h
fou.h
fq_impl.h
fq.h
garp.h
gen_stats.h
genetlink.h
genetlink: hold RCU in genlmsg_mcast()
2024-10-15 17:52:58 -07:00
geneve.h
gre.h
gro_cells.h
gro.h
net: allow small head cache usage with large MAX_SKB_FRAGS values
2025-02-27 04:30:18 -08:00
gso.h
gtp.h
gue.h
handshake.h
hotdata.h
hwbm.h
net: Correct spelling in headers
2024-08-26 09:37:23 -07:00
icmp.h
ieee8021q.h
ieee80211_radiotap.h
Merge tag 'wireless-2024-10-21' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless
2024-10-25 10:44:41 +01:00
ieee802154_netdev.h
if_inet6.h
ife.h
inet6_connection_sock.h
inet6_hashtables.h
tcp: convert to dev_net_rcu()
2025-10-23 16:20:44 +02:00
inet_common.h
inet_connection_sock.h
tcp: cache RTAX_QUICKACK metric in a hot cache line
2025-10-23 16:20:45 +02:00
inet_dscp.h
inet_ecn.h
inet_frag.h
inet_hashtables.h
ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu]
2025-10-23 16:20:45 +02:00
inet_sock.h
inet_timewait_sock.h
tcp: remove volatile qualifier on tw_substate
2024-08-28 17:08:16 -07:00
inetpeer.h
inetpeer: remove create argument of inet_getpeer()
2025-02-08 09:57:06 +01:00
ioam6.h
ip6_checksum.h
ip6_fib.h
ip6_route.h
ip6_tunnel.h
ip_fib.h
ipv4: Fix user space build failure due to header change
2024-09-04 16:40:33 -07:00
ip_tunnels.h
net/ip6_tunnel: Prevent perpetual tunnel growth
2025-10-23 16:20:29 +02:00
ip_vs.h
ip.h
ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu]
2025-10-23 16:20:45 +02:00
ipcomp.h
ipconfig.h
ipv6_frag.h
ipv6_stubs.h
ipv6.h
ipv6: replace ipcm6_init calls with ipcm6_init_sk
2025-06-27 11:11:41 +01:00
iw_handler.h
wifi: cfg80211: wext: Update spelling and grammar
2024-09-03 11:49:27 +02:00
kcm.h
net: kcm: Fix race condition in kcm_unattach()
2025-08-20 18:30:18 +02:00
l3mdev.h
vrf: use RCU protection in l3mdev_l3_out()
2025-02-21 14:01:16 +01:00
lag.h
lapb.h
net: lapb: increase LAPB_HEADER_LEN
2024-12-19 18:13:13 +01:00
lib80211.h
wifi: lib80211: Handle const struct lib80211_crypto_ops in lib80211
2024-08-27 10:28:49 +02:00
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h
net: Correct spelling in headers
2024-08-26 09:37:23 -07:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h
lwtunnel.h
net: dst: annotate data-races around dst->output
2025-08-15 12:13:41 +02:00
mac80211.h
wifi: mac80211: avoid weird state in error path
2025-08-20 18:30:32 +02:00
mac802154.h
move asm/unaligned.h to linux/unaligned.h
2024-10-02 17:23:23 -04:00
macsec.h
mctp.h
mctp: Handle error of rtnl_register_module().
2024-10-10 15:39:35 +02:00
mctpdevice.h
mip6.h
mld.h
mpls_iptunnel.h
mpls.h
mptcp.h
mptcp: fallback to TCP after SYN+MPC drops
2024-09-11 15:57:50 -07:00
mrp.h
ncsi.h
ndisc.h
neighbour.h
neighbour: add support for NUD_PERMANENT proxy entries
2025-08-20 18:30:37 +02:00
net_debug.h
Rename .data.once to .data..once to fix resetting WARN*_ONCE
2024-12-05 14:03:08 +01:00
net_failover.h
net_namespace.h
net: Add net_passive_inc() and net_passive_dec().
2025-08-20 18:30:56 +02:00
net_ratelimit.h
net_trackers.h
netdev_queues.h
net: export a helper for adding up queue stats
2025-05-18 08:24:50 +02:00
netdev_rx_queue.h
memory-provider: fix compilation issue without SYSFS
2024-09-12 21:00:26 -07:00
netevent.h
netkit.h
netlabel.h
netlink.h
net: Correct spelling in headers
2024-08-26 09:37:23 -07:00
netmem.h
page_pool: devmem support
2024-09-11 20:44:31 -07:00
netprio_cgroup.h
netrom.h
nexthop.h
nl802154.h
ieee802154: Correct spelling in nl802154.h
2024-08-30 22:30:55 +02:00
nsh.h
p8022.h
pfcp.h
pie.h
ping.h
pkt_cls.h
net: sched: refine software bypass handling in tc_run
2025-02-08 09:57:25 +01:00
pkt_sched.h
net/sched: sch_qfq: Fix null-deref in agg_dequeue
2025-11-02 22:15:20 +09:00
pptp.h
proto_memory.h
protocol.h
psample.h
psnap.h
raw.h
rawv6.h
red.h
regulatory.h
net: Correct spelling in headers
2024-08-26 09:37:23 -07:00
request_sock.h
rose.h
net: rose: convert 'use' field to refcount_t
2025-09-04 15:31:51 +02:00
route.h
ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu]
2025-10-23 16:20:45 +02:00
rpl.h
rps.h
rsi_91x.h
rstreason.h
rtnetlink.h
rtnetlink: Add bulk registration helpers for rtnetlink message handlers.
2024-10-10 15:39:35 +02:00
rtnh.h
sch_generic.h
net_sched: Flush gso_skb list too during ->change()
2025-05-22 14:29:39 +02:00
scm.h
secure_seq.h
seg6_hmac.h
seg6_local.h
seg6.h
selftests.h
slhc_vj.h
smc.h
snmp.h
sock_reuseport.h
sock.h
net: better track kernel sockets lifetime
2025-08-20 18:30:56 +02:00
Space.h
stp.h
strparser.h
strparser: Add read_sock callback
2025-02-27 04:30:19 -08:00
switchdev.h
tc_wrapper.h
tcp_ao.h
net/tcp: Add missing lockdep annotations for TCP-AO hlist traversals
2024-12-14 20:03:53 +01:00
tcp_states.h
tcp.h
bpf: Fix wrong copied_seq calculation
2025-02-27 04:30:19 -08:00
tcx.h
timewait_sock.h
tipc.h
tls_prot.h
tls_toe.h
tls.h
bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx
2024-11-06 11:08:56 -08:00
transp_v6.h
tso.h
tun_proto.h
udp_tunnel.h
udp.h
net: drop UFO packets in udp_rcv_segment()
2025-08-15 12:14:06 +02:00
udplite.h
vsock_addr.h
vxlan.h
wext.h
x25.h
x25: Correct spelling in x25.h
2024-08-26 09:37:23 -07:00
x25device.h
xdp_priv.h
xdp_sock_drv.h
xdp_sock.h
xsk: Fix race condition in AF_XDP generic RX path
2025-05-09 09:50:38 +02:00
xdp.h
bpf: Clear pfmemalloc flag when freeing all fragments
2025-11-13 15:34:07 -05:00
xfrm.h
espintcp: remove encap socket caching to avoid reference leak
2025-05-29 11:03:14 +02:00
xsk_buff_pool.h
xsk: Fix race condition in AF_XDP generic RX path
2025-05-09 09:50:38 +02:00