In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate advertising TLV before type checks tlv_data_is_valid() reads each advertising data field length from data[i], then inspects data[i + 1] for managed EIR types before checking that the current field still fits inside the supplied buffer. A malformed field whose length byte is the last byte of the buffer can therefore make the parser read one byte past the advertising data. KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING request reached that path: BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid() Read of size 1 Call trace: tlv_data_is_valid() add_advertising() hci_mgmt_cmd() hci_sock_sendmsg() Move the existing element-length check before any type-octet inspection so each non-empty element is proven to contain its type byte before the parser looks at data[i + 1].
| Vendor | Product | Versions |
|---|---|---|
| linux | linux kernel | 2bb36870e8cb29949ef9acec37129cd8e70f1857, 2bb36870e8cb29949ef9acec37129cd8e70f1857, 2bb36870e8cb29949ef9acec37129cd8e70f1857, 2bb36870e8cb29949ef9acec37129cd8e70f1857, 2bb36870e8cb29949ef9acec37129cd8e70f1857, 2bb36870e8cb29949ef9acec37129cd8e70f1857, 2bb36870e8cb29949ef9acec37129cd8e70f1857, 2bb36870e8cb29949ef9acec37129cd8e70f1857, 4.9, 7.0.12, 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1 |
Updated description with technical details, added affected versions, and marked exploit availability as true.
Updated description with critical severity, added affected version 7.0.12, and noted that no exploit exists.
Initial creation
