diff for duplicates of <20231001084934.GA16906@linux-691t> diff --git a/a/1.txt b/N1/1.txt index 0944ba6..d7e9462 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,4 +1,4 @@ -This patch set is used to relieve CVE-2020-26555. The description of the +This change is used to relieve CVE-2020-26555. The description of the CVE: Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification @@ -16,27 +16,43 @@ code. In BR/EDR, the key generation is actually handled in the controller which is below HCI. Thus, we can ignore null link key in the handler of "Link Key Notification -event" to relieve the attack. And, a condition of this attack is that -attacker should change the BR_ADDR of his hacking device (Host B) to equal -to the BR_ADDR with the target device being attacked (Host A). So we reject -the connection with device which has same BD_ADDR both on HCI_Create_Connection -and HCI_Connection_Request to prevent the attack. +event" to relieve the attack. A similar implementation also shows in +btstack project. [3] -Similar implementations also show in btstack project. [3][4][5] +v3: Drop the connection when null link key be detected. +v2: +- Used Link: tag instead of Closes: +- Used bt_dev_dbg instead of BT_DBG +- Added Fixes: tag + +Fixes: 55ed8ca10f35 ("Bluetooth: Implement link key handling for the management interface") Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1] Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2] Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3] -Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [4] -Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [5] - -Lee, Chun-Yi (2): - Bluetooth: hci_event: Ignore NULL link key - Bluetooth: Reject connection with the device which has same BD_ADDR - - net/bluetooth/hci_conn.c | 7 +++++++ - net/bluetooth/hci_event.c | 16 ++++++++++++++++ - 2 files changed, 23 insertions(+) - +Signed-off-by: Lee, Chun-Yi <jlee@suse.com> +--- + net/bluetooth/hci_event.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 35f251041eeb..2830abbdd329 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4741,6 +4741,14 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data, + if (!conn) + goto unlock; + ++ /* Ignore NULL link key against CVE-2020-26555 */ ++ if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) { ++ bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR", &ev->bdaddr); ++ hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); ++ hci_conn_drop(conn); ++ goto unlock; ++ } ++ + hci_conn_hold(conn); + conn->disc_timeout = HCI_DISCONN_TIMEOUT; + hci_conn_drop(conn); -- 2.35.3 diff --git a/a/content_digest b/N1/content_digest index becca22..f2a3ab5 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,6 +1,6 @@ "From\0Lee, Chun-Yi <jlee@suse.com>\0" - "Subject\0[PATCH 0/2] Bluetooth: ignore NULL link key and reject connection with the device which has same BD_ADDR\0" - "Date\0Sun, 1 Oct 2023 16:49:34 +0800\0" + "Subject\0[PATCH 1/2] Bluetooth: hci_event: Ignore NULL link key\0" + "Date\0Sun, 1 Oct 2023 16:53:52 +0800\0" "To\0Marcel Holtmann <marcel@holtmann.org>" Johan Hedberg <johan.hedberg@gmail.com> " Luiz Augusto von Dentz <luiz.dentz@gmail.com>\0" @@ -8,7 +8,7 @@ " linux-bluetooth@vger.kernel.org\0" "\00:1\0" "b\0" - "This patch set is used to relieve CVE-2020-26555. The description of the\n" + "This change is used to relieve CVE-2020-26555. The description of the\n" "CVE:\n" "\n" "Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification\n" @@ -26,29 +26,45 @@ "which is below HCI.\n" "\n" "Thus, we can ignore null link key in the handler of \"Link Key Notification\n" - "event\" to relieve the attack. And, a condition of this attack is that\n" - "attacker should change the BR_ADDR of his hacking device (Host B) to equal\n" - "to the BR_ADDR with the target device being attacked (Host A). So we reject\n" - "the connection with device which has same BD_ADDR both on HCI_Create_Connection\n" - "and HCI_Connection_Request to prevent the attack.\n" + "event\" to relieve the attack. A similar implementation also shows in\n" + "btstack project. [3]\n" "\n" - "Similar implementations also show in btstack project. [3][4][5]\n" + "v3: Drop the connection when null link key be detected.\n" "\n" + "v2:\n" + "- Used Link: tag instead of Closes:\n" + "- Used bt_dev_dbg instead of BT_DBG\n" + "- Added Fixes: tag\n" + "\n" + "Fixes: 55ed8ca10f35 (\"Bluetooth: Implement link key handling for the management interface\")\n" "Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]\n" "Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]\n" "Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]\n" - "Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [4]\n" - "Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [5]\n" - "\n" - "Lee, Chun-Yi (2):\n" - " Bluetooth: hci_event: Ignore NULL link key\n" - " Bluetooth: Reject connection with the device which has same BD_ADDR\n" - "\n" - " net/bluetooth/hci_conn.c | 7 +++++++\n" - " net/bluetooth/hci_event.c | 16 ++++++++++++++++\n" - " 2 files changed, 23 insertions(+)\n" + "Signed-off-by: Lee, Chun-Yi <jlee@suse.com>\n" + "---\n" + " net/bluetooth/hci_event.c | 8 ++++++++\n" + " 1 file changed, 8 insertions(+)\n" "\n" + "diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c\n" + "index 35f251041eeb..2830abbdd329 100644\n" + "--- a/net/bluetooth/hci_event.c\n" + "+++ b/net/bluetooth/hci_event.c\n" + "@@ -4741,6 +4741,14 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,\n" + " \tif (!conn)\n" + " \t\tgoto unlock;\n" + " \n" + "+\t/* Ignore NULL link key against CVE-2020-26555 */\n" + "+\tif (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {\n" + "+\t\tbt_dev_dbg(hdev, \"Ignore NULL link key (ZERO KEY) for %pMR\", &ev->bdaddr);\n" + "+\t\thci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);\n" + "+\t\thci_conn_drop(conn);\n" + "+\t\tgoto unlock;\n" + "+\t}\n" + "+\n" + " \thci_conn_hold(conn);\n" + " \tconn->disc_timeout = HCI_DISCONN_TIMEOUT;\n" + " \thci_conn_drop(conn);\n" "-- \n" 2.35.3 -ff74d304094f2ea5f566e9944f1cd4f0c69aa31a29c95c9a913766b7e9227833 +7a116aadf657a7ff20abe7c9d2d34f3e699a2c8141cc7392e7bef38a6bf1e7a6
diff --git a/a/1.txt b/N2/1.txt index 0944ba6..1349533 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -1,5 +1,5 @@ -This patch set is used to relieve CVE-2020-26555. The description of the -CVE: +This change is used to relieve CVE-2020-26555. The description of +the CVE: Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof @@ -15,28 +15,61 @@ the attacked target to generate null link key (zero key) without PIN code. In BR/EDR, the key generation is actually handled in the controller which is below HCI. -Thus, we can ignore null link key in the handler of "Link Key Notification -event" to relieve the attack. And, a condition of this attack is that -attacker should change the BR_ADDR of his hacking device (Host B) to equal -to the BR_ADDR with the target device being attacked (Host A). So we reject -the connection with device which has same BD_ADDR both on HCI_Create_Connection -and HCI_Connection_Request to prevent the attack. +A condition of this attack is that attacker should change the +BR_ADDR of his hacking device (Host B) to equal to the BR_ADDR with +the target device being attacked (Host A). -Similar implementations also show in btstack project. [3][4][5] +Thus, we reject the connection with device which has same BD_ADDR +both on HCI_Create_Connection and HCI_Connection_Request to prevent +the attack. A similar implementation also shows in btstack project. +[3][4] Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1] Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2] -Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3] -Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [4] -Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [5] - -Lee, Chun-Yi (2): - Bluetooth: hci_event: Ignore NULL link key - Bluetooth: Reject connection with the device which has same BD_ADDR - - net/bluetooth/hci_conn.c | 7 +++++++ - net/bluetooth/hci_event.c | 16 ++++++++++++++++ - 2 files changed, 23 insertions(+) +Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [3] +Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [4] +Signed-off-by: Lee, Chun-Yi <jlee@suse.com> +--- + net/bluetooth/hci_conn.c | 7 +++++++ + net/bluetooth/hci_event.c | 8 ++++++++ + 2 files changed, 15 insertions(+) +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 9d5057cef30a..21c831f1fec6 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1627,6 +1627,13 @@ struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, + return ERR_PTR(-EOPNOTSUPP); + } + ++ /* Reject outgoing connection to device with same BD ADDR against CVE-2020-26555 */ ++ if (!bacmp(&hdev->bdaddr, dst)) ++ { ++ bt_dev_dbg(hdev, "Reject connection to the device with same BD_ADDR %pMR\n", dst); ++ return ERR_PTR(-ECONNREFUSED); ++ } ++ + acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst); + if (!acl) { + acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER); +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 2830abbdd329..df97dd64be6a 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3267,6 +3267,14 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data, + + bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type); + ++ /* Reject incoming connection from device with same BD ADDR against CVE-2020-26555 */ ++ if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) ++ { ++ bt_dev_dbg(hdev, "Reject connection from the device with same BD_ADDR %pMR\n", &ev->bdaddr); ++ hci_reject_conn(hdev, &ev->bdaddr); ++ return; ++ } ++ + mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, + &flags); + -- 2.35.3 diff --git a/a/content_digest b/N2/content_digest index becca22..aab36cf 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -1,6 +1,6 @@ "From\0Lee, Chun-Yi <jlee@suse.com>\0" - "Subject\0[PATCH 0/2] Bluetooth: ignore NULL link key and reject connection with the device which has same BD_ADDR\0" - "Date\0Sun, 1 Oct 2023 16:49:34 +0800\0" + "Subject\0[PATCH 2/2] Bluetooth: Reject connection with the device which has same BD_ADDR\0" + "Date\0Sun, 1 Oct 2023 16:54:24 +0800\0" "To\0Marcel Holtmann <marcel@holtmann.org>" Johan Hedberg <johan.hedberg@gmail.com> " Luiz Augusto von Dentz <luiz.dentz@gmail.com>\0" @@ -8,8 +8,8 @@ " linux-bluetooth@vger.kernel.org\0" "\00:1\0" "b\0" - "This patch set is used to relieve CVE-2020-26555. The description of the\n" - "CVE:\n" + "This change is used to relieve CVE-2020-26555. The description of\n" + "the CVE:\n" "\n" "Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification\n" "1.0B through 5.2 may permit an unauthenticated nearby device to spoof\n" @@ -25,30 +25,63 @@ "code. In BR/EDR, the key generation is actually handled in the controller\n" "which is below HCI.\n" "\n" - "Thus, we can ignore null link key in the handler of \"Link Key Notification\n" - "event\" to relieve the attack. And, a condition of this attack is that\n" - "attacker should change the BR_ADDR of his hacking device (Host B) to equal\n" - "to the BR_ADDR with the target device being attacked (Host A). So we reject\n" - "the connection with device which has same BD_ADDR both on HCI_Create_Connection\n" - "and HCI_Connection_Request to prevent the attack.\n" + "A condition of this attack is that attacker should change the\n" + "BR_ADDR of his hacking device (Host B) to equal to the BR_ADDR with\n" + "the target device being attacked (Host A).\n" "\n" - "Similar implementations also show in btstack project. [3][4][5]\n" + "Thus, we reject the connection with device which has same BD_ADDR\n" + "both on HCI_Create_Connection and HCI_Connection_Request to prevent\n" + "the attack. A similar implementation also shows in btstack project.\n" + "[3][4]\n" "\n" "Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]\n" "Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]\n" - "Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]\n" - "Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [4]\n" - "Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [5]\n" - "\n" - "Lee, Chun-Yi (2):\n" - " Bluetooth: hci_event: Ignore NULL link key\n" - " Bluetooth: Reject connection with the device which has same BD_ADDR\n" - "\n" - " net/bluetooth/hci_conn.c | 7 +++++++\n" - " net/bluetooth/hci_event.c | 16 ++++++++++++++++\n" - " 2 files changed, 23 insertions(+)\n" + "Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [3]\n" + "Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [4]\n" + "Signed-off-by: Lee, Chun-Yi <jlee@suse.com>\n" + "---\n" + " net/bluetooth/hci_conn.c | 7 +++++++\n" + " net/bluetooth/hci_event.c | 8 ++++++++\n" + " 2 files changed, 15 insertions(+)\n" "\n" + "diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c\n" + "index 9d5057cef30a..21c831f1fec6 100644\n" + "--- a/net/bluetooth/hci_conn.c\n" + "+++ b/net/bluetooth/hci_conn.c\n" + "@@ -1627,6 +1627,13 @@ struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,\n" + " \t\treturn ERR_PTR(-EOPNOTSUPP);\n" + " \t}\n" + " \n" + "+\t/* Reject outgoing connection to device with same BD ADDR against CVE-2020-26555 */\n" + "+\tif (!bacmp(&hdev->bdaddr, dst))\n" + "+\t{\n" + "+\t\tbt_dev_dbg(hdev, \"Reject connection to the device with same BD_ADDR %pMR\\n\", dst);\n" + "+\t\treturn ERR_PTR(-ECONNREFUSED);\n" + "+\t}\n" + "+\n" + " \tacl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);\n" + " \tif (!acl) {\n" + " \t\tacl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);\n" + "diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c\n" + "index 2830abbdd329..df97dd64be6a 100644\n" + "--- a/net/bluetooth/hci_event.c\n" + "+++ b/net/bluetooth/hci_event.c\n" + "@@ -3267,6 +3267,14 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data,\n" + " \n" + " \tbt_dev_dbg(hdev, \"bdaddr %pMR type 0x%x\", &ev->bdaddr, ev->link_type);\n" + " \n" + "+\t/* Reject incoming connection from device with same BD ADDR against CVE-2020-26555 */\n" + "+\tif (!bacmp(&hdev->bdaddr, &ev->bdaddr))\n" + "+\t{\n" + "+\t\tbt_dev_dbg(hdev, \"Reject connection from the device with same BD_ADDR %pMR\\n\", &ev->bdaddr);\n" + "+\t\thci_reject_conn(hdev, &ev->bdaddr);\n" + "+\t\treturn;\n" + "+\t}\n" + "+\n" + " \tmask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,\n" + " \t\t\t\t &flags);\n" + " \n" "-- \n" 2.35.3 -ff74d304094f2ea5f566e9944f1cd4f0c69aa31a29c95c9a913766b7e9227833 +a33ed79c5db7cfb872f01958408e8060cbbfbe20cb155996da4f06a22dcf7a3a
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox