From: bugzilla-daemon@kernel.org
To: linux-bluetooth@vger.kernel.org
Subject: [Bug 217581] Bluetooth L2CAP use-after-free
Date: Wed, 21 Jun 2023 10:44:35 +0000 [thread overview]
Message-ID: <bug-217581-62941-7i7rUEgkuF@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-217581-62941@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=217581
--- Comment #3 from Mohamed Yassine JEBABLI (mohamed-yassine.jebabli@witbe.net) ---
btmon trace :
@ MGMT Command: Load Long Te.. (0x0013) plen 38 {0x0001} [hci1] 835.836638
Keys: 1
LE Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Key type: Unauthenticated legacy key (0x00)
Central: 0x00
Encryption size: 16
Diversifier: 5565
Randomizer: 08014962c65a5aef
Key: ea06c5bdb5409c43d3935b7e5b79877a
@ MGMT Event: Command Complete (0x0001) plen 3 {0x0001} [hci1] 835.836651
Load Long Term Keys (0x0013) plen 0
Status: Success (0x00)
@ MGMT Command: Load Identit.. (0x0030) plen 25 {0x0001} [hci1] 835.837036
Keys: 1
LE Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Key: d74d35e5fd6e95d6804b8391487d76d8
@ MGMT Event: Command Complete (0x0001) plen 3 {0x0001} [hci1] 835.837046
Load Identity Resolving Keys (0x0030) plen 0
Status: Success (0x00)
< HCI Command: LE Clear Res.. (0x08|0x0029) plen 0 #1018 [hci1] 835.837519
> HCI Event: Command Complete (0x0e) plen 4 #1019 [hci1] 836.030177
LE Clear Resolving List (0x08|0x0029) ncmd 1
Status: Success (0x00)
< HCI Command: LE Add Devi.. (0x08|0x0027) plen 39 #1020 [hci1] 836.031432
Address type: Public (0x00)
Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Peer identity resolving key: d74d35e5fd6e95d6804b8391487d76d8
Local identity resolving key: 00000000000000000000000000000000
> HCI Event: Command Complete (0x0e) plen 4 #1021 [hci1] 836.033137
LE Add Device To Resolving List (0x08|0x0027) ncmd 1
Status: Success (0x00)
< HCI Command: LE Set Addre.. (0x08|0x002d) plen 1 #1022 [hci1] 836.033708
Address resolution: Enabled (0x01)
> HCI Event: Command Complete (0x0e) plen 4 #1023 [hci1] 836.035051
LE Set Address Resolution Enable (0x08|0x002d) ncmd 1
Status: Success (0x00)
< HCI Command: LE Set Adve.. (0x08|0x0008) plen 32 #1024 [hci1] 836.035618
Length: 15
Flags: 0x05
LE Limited Discoverable Mode
BR/EDR Not Supported
Appearance: Remote Control (0x0180)
16-bit Service UUIDs (partial): 3 entries
Human Interface Device (0x1812)
Battery Service (0x180f)
Device Information (0x180a)
> HCI Event: Command Complete (0x0e) plen 4 #1025 [hci1] 836.037143
LE Set Advertising Data (0x08|0x0008) ncmd 1
Status: Success (0x00)
< HCI Command: LE Set Scan.. (0x08|0x0009) plen 32 #1026 [hci1] 836.037778
Length: 22
Name (complete): NVIDIA SHIELD Remote
> HCI Event: Command Complete (0x0e) plen 4 #1027 [hci1] 836.039032
LE Set Scan Response Data (0x08|0x0009) ncmd 1
Status: Success (0x00)
< HCI Command: LE Set Adve.. (0x08|0x0006) plen 15 #1028 [hci1] 836.039649
Min advertising interval: 20.000 msec (0x0020)
Max advertising interval: 20.000 msec (0x0020)
Type: Connectable undirected - ADV_IND (0x00)
Own address type: Public (0x02)
Direct address type: Public (0x00)
Direct address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Channel map: 37, 38, 39 (0x07)
Filter policy: Allow Scan Request from Any, Allow Connect Request from
Any (0x00)
> HCI Event: Command Complete (0x0e) plen 4 #1029 [hci1] 836.041059
LE Set Advertising Parameters (0x08|0x0006) ncmd 1
Status: Success (0x00)
< HCI Command: LE Set Adver.. (0x08|0x000a) plen 1 #1030 [hci1] 836.041617
Advertising: Enabled (0x01)
> HCI Event: Command Complete (0x0e) plen 4 #1031 [hci1] 836.044146
LE Set Advertise Enable (0x08|0x000a) ncmd 1
Status: Success (0x00)
> HCI Event: LE Meta Event (0x3e) plen 31 #1032 [hci1] 836.776845
LE Enhanced Connection Complete (0x0a)
Status: Success (0x00)
Handle: 0 Address: 00:00:00:00:00:00 (OUI 00-00-00)
Role: Peripheral (0x01)
Peer address type: Resolved Public (0x02)
Peer address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Local resolvable private address: 00:00:00:00:00:00 (Non-Resolvable)
Peer resolvable private address: 53:6E:75:EF:0A:34 (Resolvable)
Identity type: Public (0x00)
Identity: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Connection interval: 48.75 msec (0x0027)
Connection latency: 0 (0x0000)
Supervision timeout: 10000 msec (0x03e8)
Central clock accuracy: 0x01
@ MGMT Event: Device Connected (0x000b) plen 13 {0x0001} [hci1] 836.776999
LE Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Flags: 0x00000000
Data length: 0
< HCI Command: LE Read Remo.. (0x08|0x0016) plen 2 #1033 [hci1] 836.777167
Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
@ RAW Open: btmon (privileged) version 2.22 {0x0004} 836.777817
@ RAW Close: btmon {0x0004} 836.777829
> HCI Event: LE Meta Event (0x3e) plen 4 #1034 [hci1] 836.777798
LE Channel Selection Algorithm (0x14)
Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Algorithm: #1 (0x00)
@ MGMT Command: Pair Device (0x0019) plen 8 {0x0001} [hci1] 836.777975
LE Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Capability: NoInputNoOutput (0x03)
@ MGMT Event: Command Complete (0x0001) plen 10 {0x0001} [hci1] 836.777985
Pair Device (0x0019) plen 7
Status: Already Paired (0x13)
LE Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
> HCI Event: Command Status (0x0f) plen 4 #1035 [hci1] 836.778817
LE Read Remote Used Features (0x08|0x0016) ncmd 1
Status: Success (0x00)
< HCI Command: LE Set Adver.. (0x08|0x000a) plen 1 #1036 [hci1] 836.779076
Advertising: Disabled (0x00)
> HCI Event: Command Complete (0x0e) plen 4 #1037 [hci1] 836.780813
LE Set Advertise Enable (0x08|0x000a) ncmd 1
Status: Success (0x00)
> HCI Event: LE Meta Event (0x3e) plen 12 #1038 [hci1] 836.885795
LE Read Remote Used Features (0x04)
Status: Success (0x00)
Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Features: 0xff 0x00 0x00 0x00 0x00 0x00 0x00 0x00
LE Encryption
Connection Parameter Request Procedure
Extended Reject Indication
Peripheral-initiated Features Exchange
LE Ping
LE Data Packet Length Extension
LL Privacy
Extended Scanner Filter Policies
< ACL Data TX: Handle 0 flags 0x00 dlen 6 #1039 [hci1] 836.886185
SMP: Security Request (0x0b) len 1
Authentication requirement: Bonding, No MITM, Legacy, No Keypresses
(0x01)
> HCI Event: Number of Completed P.. (0x13) plen 5 #1040 [hci1] 836.982862
Num handles: 1
Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Count: 1
> HCI Event: LE Meta Event (0x3e) plen 13 #1041 [hci1] 837.031821
LE Long Term Key Request (0x05)
Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Random number: 0xef5a5ac662490108
Encrypted diversifier: 0x6555
< HCI Command: LE Long Ter.. (0x08|0x001a) plen 18 #1042 [hci1] 837.031865
Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Long term key: ea06c5bdb5409c43d3935b7e5b79877a
> HCI Event: Command Complete (0x0e) plen 6 #1043 [hci1] 837.033755
LE Long Term Key Request Reply (0x08|0x001a) ncmd 1
Status: Success (0x00)
Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
> HCI Event: Encryption Change (0x08) plen 4 #1044 [hci1] 837.177841
Status: Success (0x00)
Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Encryption: Enabled with AES-CCM (0x01)
< HCI Command: Write Authen.. (0x03|0x007c) plen 4 #1045 [hci1] 837.177998
Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Timeout: 30000 msec (0x0bb8)
> HCI Event: Command Complete (0x0e) plen 6 #1046 [hci1] 837.179778
Write Authenticated Payload Timeout (0x03|0x007c) ncmd 1
Status: Success (0x00)
Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
> HCI Event: Disconnect Complete (0x05) plen 4 #1047 [hci1] 837.275758
Status: Success (0x00)
Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Reason: Remote User Terminated Connection (0x13)
@ MGMT Event: Device Disconne.. (0x000c) plen 8 {0x0001} [hci1] 837.275853
LE Address: 48:B0:2D:02:81:0A (NVIDIA Corporation)
Reason: Connection terminated by remote host (0x03)
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
next prev parent reply other threads:[~2023-06-21 10:46 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-21 10:18 [Bug 217581] New: Bluetooth L2CAP use-after-free bugzilla-daemon
2023-06-21 10:19 ` [Bug 217581] " bugzilla-daemon
2023-06-21 10:43 ` bugzilla-daemon
2023-06-21 10:44 ` bugzilla-daemon [this message]
2023-06-27 13:08 ` bugzilla-daemon
2023-06-27 13:23 ` bugzilla-daemon
2023-06-27 13:35 ` bugzilla-daemon
2023-06-28 12:09 ` bugzilla-daemon
2023-06-29 8:40 ` bugzilla-daemon
2023-06-29 14:14 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-217581-62941-7i7rUEgkuF@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox