From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
To: Marcel Holtmann <marcel@holtmann.org>,
Johan Hedberg <johan.hedberg@gmail.com>
Cc: "David S . Miller" <davem@davemloft.net>,
linux-kernel@vger.kernel.org, linux-bluetooth@vger.kernel.org,
"Lee, Chun-Yi" <jlee@suse.com>
Subject: [PATCH] Bluetooth: hci_event: Ignore NULL link key
Date: Sat, 15 Jul 2023 00:12:10 +0800 [thread overview]
Message-ID: <20230714161210.20969-1-jlee@suse.com> (raw)
This change is used to relieve CVE-2020-26555. The description of the
CVE:
Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
1.0B through 5.2 may permit an unauthenticated nearby device to spoof
the BD_ADDR of the peer device to complete pairing without knowledge
of the PIN. [1]
The detail of this attack is in IEEE paper:
BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
[2]
It's a reflection attack. Base on the paper, attacker can induce the
attacked target to generate null link key (zero key) without PIN code.
We can ignore null link key in the handler of "Link Key Notification
event" to relieve the attack. A similar implementation also shows in
btstack project. [3]
Closes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
Closes: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
Closes: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
net/bluetooth/hci_event.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 95816a938cea..e81b8d6c13ba 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4684,6 +4684,12 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
bool persistent;
u8 pin_len = 0;
+ /* Ignore NULL link key against CVE-2020-26555 */
+ if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
+ BT_DBG("Ignore NULL link key (ZERO KEY) for %pMR", &ev->bdaddr);
+ return;
+ }
+
bt_dev_dbg(hdev, "");
hci_dev_lock(hdev);
--
2.35.3
next reply other threads:[~2023-07-14 16:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-14 16:12 Lee, Chun-Yi [this message]
2023-07-14 18:44 ` [PATCH] Bluetooth: hci_event: Ignore NULL link key Luiz Augusto von Dentz
2023-07-17 5:38 ` joeyli
[not found] ` <8eeb958e-d947-2f6d-5942-d30746cf1268@web.de>
2023-07-17 5:51 ` [PATCH] Bluetooth: hci_event: Ignore NULL link key in hci_link_key_notify_evt() joeyli
[not found] ` <7cae670e-b7c5-470b-536b-ab03513cd0a3@web.de>
2023-07-17 10:23 ` joeyli
2023-07-17 11:25 ` Dan Carpenter
2023-07-17 15:48 ` joeyli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230714161210.20969-1-jlee@suse.com \
--to=joeyli.kernel@gmail.com \
--cc=davem@davemloft.net \
--cc=jlee@suse.com \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox