[PATCH] Bluetooth: hci_event: Ignore NULL link key

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Bluetooth: hci_event: Ignore NULL link key
@ 2023-07-14 16:12 Lee, Chun-Yi
  2023-07-14 18:44 ` Luiz Augusto von Dentz
       [not found] ` <8eeb958e-d947-2f6d-5942-d30746cf1268@web.de>
  0 siblings, 2 replies; 7+ messages in thread
From: Lee, Chun-Yi @ 2023-07-14 16:12 UTC (permalink / raw)
  To: Marcel Holtmann, Johan Hedberg
  Cc: David S . Miller, linux-kernel, linux-bluetooth, Lee, Chun-Yi

This change is used to relieve CVE-2020-26555. The description of the
CVE:

Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
1.0B through 5.2 may permit an unauthenticated nearby device to spoof
the BD_ADDR of the peer device to complete pairing without knowledge
of the PIN. [1]

The detail of this attack is in IEEE paper:
BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
[2]

It's a reflection attack. Base on the paper, attacker can induce the
attacked target to generate null link key (zero key) without PIN code.

We can ignore null link key in the handler of "Link Key Notification
event" to relieve the attack. A similar implementation also shows in
btstack project. [3]

Closes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
Closes: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
Closes: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 net/bluetooth/hci_event.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 95816a938cea..e81b8d6c13ba 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4684,6 +4684,12 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
 	bool persistent;
 	u8 pin_len = 0;
 
+	/* Ignore NULL link key against CVE-2020-26555 */
+	if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
+		BT_DBG("Ignore NULL link key (ZERO KEY) for %pMR", &ev->bdaddr);
+		return;
+	}
+
 	bt_dev_dbg(hdev, "");
 
 	hci_dev_lock(hdev);
-- 
2.35.3


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH] Bluetooth: hci_event: Ignore NULL link key
  2023-07-14 16:12 [PATCH] Bluetooth: hci_event: Ignore NULL link key Lee, Chun-Yi
@ 2023-07-14 18:44 ` Luiz Augusto von Dentz
  2023-07-17  5:38   ` joeyli
       [not found] ` <8eeb958e-d947-2f6d-5942-d30746cf1268@web.de>
  1 sibling, 1 reply; 7+ messages in thread
From: Luiz Augusto von Dentz @ 2023-07-14 18:44 UTC (permalink / raw)
  To: Lee, Chun-Yi
  Cc: Marcel Holtmann, Johan Hedberg, David S . Miller, linux-kernel,
	linux-bluetooth, Lee, Chun-Yi

Hi Chun-Yi,

On Fri, Jul 14, 2023 at 9:14 AM Lee, Chun-Yi <joeyli.kernel@gmail.com> wrote:
>
> This change is used to relieve CVE-2020-26555. The description of the
> CVE:
>
> Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
> 1.0B through 5.2 may permit an unauthenticated nearby device to spoof
> the BD_ADDR of the peer device to complete pairing without knowledge
> of the PIN. [1]
>
> The detail of this attack is in IEEE paper:
> BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
> [2]
>
> It's a reflection attack. Base on the paper, attacker can induce the
> attacked target to generate null link key (zero key) without PIN code.
>
> We can ignore null link key in the handler of "Link Key Notification
> event" to relieve the attack. A similar implementation also shows in
> btstack project. [3]
>
> Closes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
> Closes: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
> Closes: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]

Shouldn't the last 2 be using Link: instead?

> Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
> ---
>  net/bluetooth/hci_event.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index 95816a938cea..e81b8d6c13ba 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -4684,6 +4684,12 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
>         bool persistent;
>         u8 pin_len = 0;
>
> +       /* Ignore NULL link key against CVE-2020-26555 */
> +       if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
> +               BT_DBG("Ignore NULL link key (ZERO KEY) for %pMR", &ev->bdaddr);

Please use bt_dev_dbg instead.

> +               return;
> +       }
> +
>         bt_dev_dbg(hdev, "");
>
>         hci_dev_lock(hdev);
> --
> 2.35.3
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] Bluetooth: hci_event: Ignore NULL link key
  2023-07-14 18:44 ` Luiz Augusto von Dentz
@ 2023-07-17  5:38   ` joeyli
  0 siblings, 0 replies; 7+ messages in thread
From: joeyli @ 2023-07-17  5:38 UTC (permalink / raw)
  To: Luiz Augusto von Dentz
  Cc: Lee, Chun-Yi, Marcel Holtmann, Johan Hedberg, David S . Miller,
	linux-kernel, linux-bluetooth

Hi Luiz Augusto von Dentz,

First, thanks for your review!

On Fri, Jul 14, 2023 at 11:44:28AM -0700, Luiz Augusto von Dentz wrote:
> Hi Chun-Yi,
> 
> On Fri, Jul 14, 2023 at 9:14 AM Lee, Chun-Yi <joeyli.kernel@gmail.com> wrote:
> >
> > This change is used to relieve CVE-2020-26555. The description of the
> > CVE:
> >
> > Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
> > 1.0B through 5.2 may permit an unauthenticated nearby device to spoof
> > the BD_ADDR of the peer device to complete pairing without knowledge
> > of the PIN. [1]
> >
> > The detail of this attack is in IEEE paper:
> > BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
> > [2]
> >
> > It's a reflection attack. Base on the paper, attacker can induce the
> > attacked target to generate null link key (zero key) without PIN code.
> >
> > We can ignore null link key in the handler of "Link Key Notification
> > event" to relieve the attack. A similar implementation also shows in
> > btstack project. [3]
> >
> > Closes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
> > Closes: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
> > Closes: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
> 
> Shouldn't the last 2 be using Link: instead?
> 

Sorry for I confused Link: with Closes:. I will change all of them to Link: tag

> > Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
> > ---
> >  net/bluetooth/hci_event.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > index 95816a938cea..e81b8d6c13ba 100644
> > --- a/net/bluetooth/hci_event.c
> > +++ b/net/bluetooth/hci_event.c
> > @@ -4684,6 +4684,12 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
> >         bool persistent;
> >         u8 pin_len = 0;
> >
> > +       /* Ignore NULL link key against CVE-2020-26555 */
> > +       if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
> > +               BT_DBG("Ignore NULL link key (ZERO KEY) for %pMR", &ev->bdaddr);
> 
> Please use bt_dev_dbg instead.
>

I see! I will use bt_dev_dbg.
 
> > +               return;
> > +       }
> > +
> >         bt_dev_dbg(hdev, "");
> >
> >         hci_dev_lock(hdev);
> > --
> > 2.35.3
> >

Thanks a lot!
Joey Lee

^ permalink raw reply	[flat|nested] 7+ messages in thread

[parent not found: <8eeb958e-d947-2f6d-5942-d30746cf1268@web.de>]

* Re: [PATCH] Bluetooth: hci_event: Ignore NULL link key in hci_link_key_notify_evt()
       [not found] ` <8eeb958e-d947-2f6d-5942-d30746cf1268@web.de>
@ 2023-07-17  5:51   ` joeyli
       [not found]     ` <7cae670e-b7c5-470b-536b-ab03513cd0a3@web.de>
  0 siblings, 1 reply; 7+ messages in thread
From: joeyli @ 2023-07-17  5:51 UTC (permalink / raw)
  To: Markus Elfring
  Cc: Chun-Yi Lee, linux-bluetooth, kernel-janitors, Marcel Holtmann,
	Johan Hedberg, LKML, David S. Miller

Hi Markus,

Thanks for your review!

On Fri, Jul 14, 2023 at 10:30:17PM +0200, Markus Elfring wrote:
> …
> > We can ignore null link key in the handler of "Link Key Notification
> > event" to relieve the attack. …
> 
> Are imperative change descriptions still preferred?
> 
> See also:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.5-rc1#n94
> 
> 
> How do you think about to add the tag “Fixes” because of
> an added case distinction?
>

Sorry for I didn't capture your point. The "Link Key Notification event" 
is a term in bluetooth-core spec. What should I change in my patch
description?

Thanks a lot!
Joey Le

^ permalink raw reply	[flat|nested] 7+ messages in thread

[parent not found: <7cae670e-b7c5-470b-536b-ab03513cd0a3@web.de>]

* Re: [PATCH] Bluetooth: hci_event: Ignore NULL link key in hci_link_key_notify_evt()
       [not found]     ` <7cae670e-b7c5-470b-536b-ab03513cd0a3@web.de>
@ 2023-07-17 10:23       ` joeyli
  2023-07-17 11:25         ` Dan Carpenter
  0 siblings, 1 reply; 7+ messages in thread
From: joeyli @ 2023-07-17 10:23 UTC (permalink / raw)
  To: Markus Elfring
  Cc: linux-bluetooth, kernel-janitors, Chun-Yi Lee, David S. Miller,
	Johan Hedberg, Marcel Holtmann, LKML

Hi Markus,

On Mon, Jul 17, 2023 at 08:15:56AM +0200, Markus Elfring wrote:
> >> …
> >>> We can ignore null link key in the handler of "Link Key Notification
> >>> event" to relieve the attack. …
> …
> > Sorry for I didn't capture your point.
> 
> Did you provide sufficient justification for a possible addition of the tag “Fixes”?
>

This patch is against a CVE. The issue is not introduced by any old kernel
patch. So I think it doesn't need Fixes: tag.
 
> 
> > What should I change in my patch description?
> 
> I hope that corresponding imperative wordings can become more helpful
> also according to another Linux development requirement.
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.5-rc1#n94
>

Thanks a lot!
Joey LEe 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] Bluetooth: hci_event: Ignore NULL link key in hci_link_key_notify_evt()
  2023-07-17 10:23       ` joeyli
@ 2023-07-17 11:25         ` Dan Carpenter
  2023-07-17 15:48           ` joeyli
  0 siblings, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2023-07-17 11:25 UTC (permalink / raw)
  To: joeyli
  Cc: Markus Elfring, linux-bluetooth, kernel-janitors, Chun-Yi Lee,
	David S. Miller, Johan Hedberg, Marcel Holtmann, LKML

On Mon, Jul 17, 2023 at 06:23:10PM +0800, joeyli wrote:
> Hi Markus,
> 
> On Mon, Jul 17, 2023 at 08:15:56AM +0200, Markus Elfring wrote:
> > >> …
> > >>> We can ignore null link key in the handler of "Link Key Notification
> > >>> event" to relieve the attack. …
> > …
> > > Sorry for I didn't capture your point.
> > 
> > Did you provide sufficient justification for a possible addition of the tag “Fixes”?
> >
> 
> This patch is against a CVE. The issue is not introduced by any old kernel
> patch. So I think it doesn't need Fixes: tag.

You should probably put a Fixes tag against when the feature was
introduced.  (Kernel's prior to that were not affected by the CVE).

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] Bluetooth: hci_event: Ignore NULL link key in hci_link_key_notify_evt()
  2023-07-17 11:25         ` Dan Carpenter
@ 2023-07-17 15:48           ` joeyli
  0 siblings, 0 replies; 7+ messages in thread
From: joeyli @ 2023-07-17 15:48 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Markus Elfring, linux-bluetooth, kernel-janitors, Chun-Yi Lee,
	David S. Miller, Johan Hedberg, Marcel Holtmann, LKML

Hi Dan,

On Mon, Jul 17, 2023 at 02:25:06PM +0300, Dan Carpenter wrote:
> On Mon, Jul 17, 2023 at 06:23:10PM +0800, joeyli wrote:
> > Hi Markus,
> > 
> > On Mon, Jul 17, 2023 at 08:15:56AM +0200, Markus Elfring wrote:
> > > >> …
> > > >>> We can ignore null link key in the handler of "Link Key Notification
> > > >>> event" to relieve the attack. …
> > > …
> > > > Sorry for I didn't capture your point.
> > > 
> > > Did you provide sufficient justification for a possible addition of the tag “Fixes”?
> > >
> > 
> > This patch is against a CVE. The issue is not introduced by any old kernel
> > patch. So I think it doesn't need Fixes: tag.
> 
> You should probably put a Fixes tag against when the feature was
> introduced.  (Kernel's prior to that were not affected by the CVE).
> 

OK! I see.

I have digged that the link key stored function be introduced by 55ed8ca10f35
since v2.6.39-rc1:

commit 55ed8ca10f3530de8edbbf138acb50992bf5005b
Author: Johan Hedberg <johan.hedberg@nokia.com>
Date:   Mon Jan 17 14:41:05 2011 +0200

    Bluetooth: Implement link key handling for the management interface

I will add Fixes: 55ed8ca10f35 ("Bluetooth: Implement link key handling for the management interface")
in next version.

Thanks for your and Markus's reminder.

Joey Lee

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2023-07-17 15:49 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-14 16:12 [PATCH] Bluetooth: hci_event: Ignore NULL link key Lee, Chun-Yi
2023-07-14 18:44 ` Luiz Augusto von Dentz
2023-07-17  5:38   ` joeyli
     [not found] ` <8eeb958e-d947-2f6d-5942-d30746cf1268@web.de>
2023-07-17  5:51   ` [PATCH] Bluetooth: hci_event: Ignore NULL link key in hci_link_key_notify_evt() joeyli
     [not found]     ` <7cae670e-b7c5-470b-536b-ab03513cd0a3@web.de>
2023-07-17 10:23       ` joeyli
2023-07-17 11:25         ` Dan Carpenter
2023-07-17 15:48           ` joeyli

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox