From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6DBF3307AD9; Wed, 3 Dec 2025 15:44:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764776684; cv=none; b=CQqWZljCJIKEr225+P+A1D/FtoMwFeMWC6w84kk6DRi1ZywyCpTwIaIqlM5MYWVIKgDwnIYTFnPt7X1nFtqTZA7+fV3m3GMzh4LAcSnJpq6Drg45PRgG+RjB1RmzwTSoxiTiivnuhsx/wGTrw73NPMJNQezM3b80udzg31z92rg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764776684; c=relaxed/simple; bh=Ws7lfQ83yvWFlQkh4CFzO2Lx15ofF/QW1Vm9uW7xkT8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OviSlioYtKaDt9axxyVDEM7dPka4lqf2ogXFrL49GRFcZRmXYcDSgDcTQinV4n6XNwqTZcxHAK5qfVsBrbnrbVt7DRLZmXu7IuB+ZOqCWV/O3VM9jdaGusHRRRVgAFbn1PkY3AboLSxdSe/meLhXMg682NcbdzH6X2FP0/L3mIM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=o5BjaphB; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="o5BjaphB" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 72CAEC4CEF5; Wed, 3 Dec 2025 15:44:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1764776683; bh=Ws7lfQ83yvWFlQkh4CFzO2Lx15ofF/QW1Vm9uW7xkT8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=o5BjaphBZPCg8BwBIXeobmUr7ca8EPNoyjJscRKBVo6zOYQDmVo/AL5oFRUUPHOHa ve5IRGdd/d+UvmNzKCjgmw8r0O+0BkBnyexf0xPdC/bAnhlf6air0PMxaFH3INGDLO EBB3qDJ8g6/1YTCwjqMU5H6rrNjehMMp7A4R5w+U= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Luiz Augusto von Dentz , Sasha Levin Subject: [PATCH 5.10 257/300] Bluetooth: SMP: Fix not generating mackey and ltk when repairing Date: Wed, 3 Dec 2025 16:27:41 +0100 Message-ID: <20251203152410.160920206@linuxfoundation.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251203152400.447697997@linuxfoundation.org> References: <20251203152400.447697997@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Luiz Augusto von Dentz [ Upstream commit 545d7827b2cd5de5eb85580cebeda6b35b3ff443 ] The change eed467b517e8 ("Bluetooth: fix passkey uninitialized when used") introduced a goto that bypasses the creation of temporary mackey and ltk which are later used by the likes of DHKey Check step. Later ffee202a78c2 ("Bluetooth: Always request for user confirmation for Just Works (LE SC)") which means confirm_hint is always set in case JUST_WORKS so the branch checking for an existing LTK becomes pointless as confirm_hint will always be set, so this just merge both cases of malicious or legitimate devices to be confirmed before continuing with the pairing procedure. Link: https://github.com/bluez/bluez/issues/1622 Fixes: eed467b517e8 ("Bluetooth: fix passkey uninitialized when used") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin --- net/bluetooth/smp.c | 31 +++++++------------------------ 1 file changed, 7 insertions(+), 24 deletions(-) diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index fc896d39a6d95..79550d115364e 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c @@ -2131,7 +2131,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) struct smp_chan *smp = chan->data; struct hci_conn *hcon = conn->hcon; u8 *pkax, *pkbx, *na, *nb, confirm_hint; - u32 passkey; + u32 passkey = 0; int err; bt_dev_dbg(hcon->hdev, "conn %p", conn); @@ -2183,24 +2183,6 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), smp->prnd); SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); - - /* Only Just-Works pairing requires extra checks */ - if (smp->method != JUST_WORKS) - goto mackey_and_ltk; - - /* If there already exists long term key in local host, leave - * the decision to user space since the remote device could - * be legitimate or malicious. - */ - if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, - hcon->role)) { - /* Set passkey to 0. The value can be any number since - * it'll be ignored anyway. - */ - passkey = 0; - confirm_hint = 1; - goto confirm; - } } mackey_and_ltk: @@ -2221,11 +2203,12 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) if (err) return SMP_UNSPECIFIED; - confirm_hint = 0; - -confirm: - if (smp->method == JUST_WORKS) - confirm_hint = 1; + /* Always require user confirmation for Just-Works pairing to prevent + * impersonation attacks, or in case of a legitimate device that is + * repairing use the confirmation as acknowledgment to proceed with the + * creation of new keys. + */ + confirm_hint = smp->method == JUST_WORKS ? 1 : 0; err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type, hcon->dst_type, passkey, confirm_hint); -- 2.51.0