[Bug 218151] New: Bluetooth: Erratic HCI_Command_Status without Inquiry

[bugzilla-daemon@kernel.org]

https://bugzilla.kernel.org/show_bug.cgi?id=218151

            Bug ID: 218151
           Summary: Bluetooth: Erratic HCI_Command_Status without Inquiry
           Product: Drivers
           Version: 2.5
          Hardware: Intel
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Bluetooth
          Assignee: linux-bluetooth@vger.kernel.org
          Reporter: sy2239101@buaa.edu.cn
        Regression: No

Created attachment 305410
  --> https://bugzilla.kernel.org/attachment.cgi?id=305410&action=edit
wireshark screenshot

Our fuzzing tool finds a possible semantic bug in the Bluetooth system in Linux
6.2:

According to the core specification v5.4, the HCI_Inquiry command triggers the
BR/EDR Controller to enter Inquiry Mode, a process used for discovering nearby
BR/EDR Controllers. Furthermore, it is specified that an HCI_Command_Status
event should be sent to the Host when the BR/EDR Controller has started the
Inquiry process.

In our testing, if a related HCI_Command_Status event is sent by the controller
without a preceding HCI_Inquiry command from the host, this could lead to a
failure in establishing Bluetooth connections.

Through our examination and debugging of the Linux 6.2 source code, we have
identified the underlying cause of the observed phenomenon:

(1.1) When the HCI_Command_Status event related to the HCI_Inquiry command is
received, the function hci_cs_inquiry (/net/bluetooth/hci_event.c:2289) is
called.

(1.2) This leads to the execution of set_bit(HCI_INQUIRY, &hdev->flags);
(/net/bluetooth/hci_event.c:2298).

(2.1) Upon initiating an ACL connection for the first time, the function
hci_acl_create_connection (/net/bluetooth/hci_conn.c:212) is called.

(2.2) The result of test_bit(HCI_INQUIRY, &hdev->flags)
(/net/bluetooth/hci_conn.c:228) being true causes the connection's state to
change to BT_CONNECT2, and the HCI_Inquiry_Cancel command is sent.

(3.1) When the HCI_Command_Complete event related to the HCI_Inquiry_Cancel
command is received, the function hci_cc_inquiry_cancel
(/net/bluetooth/hci_event.c:84) is called.

(3.2) The Status field of the HCI_Command_Complete event being 0x0c results in
the execution of return rp->status; (/net/bluetooth/hci_event.c:104).

(4.1) A timeout triggers hci_conn_timeout (/net/bluetooth/hci_conn.c:638),
which in turn calls hci_abort_conn (/net/bluetooth/hci_conn.c:2771).

(4.2) This leads to the execution of case BT_CONNECT2:
(/net/bluetooth/hci_conn.c:2771), where the HCI_Reject_Connection_Request
command is sent. 

We are not sure whether this is a semantic bug or implementation feature in the
Linux kernel. Any feedback would be appreciated, thanks!

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.