Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3904589ybi; Mon, 29 Jul 2019 15:03:11 -0700 (PDT) X-Google-Smtp-Source: APXvYqzVtsKwD82ZrYw+qrF1YaiVaf4l6WNGqCDb7ORdmAnOLSwyqA0xgaT51/8d6AD5FKHXEDNO X-Received: by 2002:a17:90a:ba93:: with SMTP id t19mr112212880pjr.139.1564437791375; Mon, 29 Jul 2019 15:03:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564437791; cv=none; d=google.com; s=arc-20160816; b=EJd7/gqjtnGdliPo0ZuMiNFIUSfecebV0WKGEouFpIbBmybvRwtfMustLox4XNhHEG zre32doTG95HOXF7vnr9G7GvHg4xFQ+8jxP9QDI6rcQkfVIpfEd9Kpv6Z0D79bwjO8mK BJfbp11H+LW8bhVmRfHWHLlsq4YcIzieUWvy8AO1Yg/he2obQu4obJLyUqMf2ZEUfGhe 38VtvJ3xL56RcYh/lOf4GUIVY3QnYA/789XTD6Z6ejsOq2cs90QeLyf3PZIoSb1IKpKI IQV4pwXGAGKRNZfObtruMfM3FHQfgyDH2/I27dFwSluooiYzAJUZ1WpyRNjI0uCK9+SR 1TQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=v/oOOTEcXS2gtBE5hU/jsx8f7qlp9IWpyE3YvVnjp1k=; b=FF8/bBvNZ7HoW6KRu5cmTkMJW+nZjh2C4eARFYDL9vzhaJSoN5Ru4u+Vj0BmLN125I FBFKh6DPofAl8J6orWxLZYKr19XBifTIec6T3JrTu/OPhNWZnizqiJfFoDkQPz+nnSgW pP+pXSMeJxV5jO3eDx2Dn+LRaa8kxCUcNXWs2huGmFK9Hp5Ogoa9fxd9DuZbLXTDxxDu pFarUsoHOymD+qwXsra0P2Abh8L/SQk67ArOOYOVsVxGSZCt96gReCVNuoanXYNbmjTJ MeovUzaL3DEt7F3VqKM44DaR8sNG5m2WyR5kcTJOYnV2FLr6+SMlC+bzaG81bn5l1Vze IuXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="PNuBXDz/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n1si25248107plk.388.2019.07.29.15.02.56; Mon, 29 Jul 2019 15:03:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="PNuBXDz/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730050AbfG2T3A (ORCPT + 99 others); Mon, 29 Jul 2019 15:29:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:41678 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730046AbfG2T25 (ORCPT ); Mon, 29 Jul 2019 15:28:57 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C33812070B; Mon, 29 Jul 2019 19:28:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564428536; bh=qH/dvaMAX7TlCmF1Q9+lHFYVWEHaHq5SWRfl7w0ltes=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PNuBXDz/ZxFtOPlbAtgIMEnVkQkTkzzFDhGzTMp1b9iAPpCoaOgL63kbBQxUL6s6s DL2jk7Z6poKLFdfuCFN8WEo/y184DYhzEvR28lxTvBor7O56FoIEfRHxC5ia2S72Q5 VyO+Lpf24uMz5Vbt2M59bpOAewrp8OIL7+aBcYgg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Carey Sonsino , Marcel Holtmann , Sasha Levin Subject: [PATCH 4.14 100/293] Bluetooth: validate BLE connection interval updates Date: Mon, 29 Jul 2019 21:19:51 +0200 Message-Id: <20190729190832.302531195@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190729190820.321094988@linuxfoundation.org> References: <20190729190820.321094988@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit c49a8682fc5d298d44e8d911f4fa14690ea9485e ] Problem: The Linux Bluetooth stack yields complete control over the BLE connection interval to the remote device. The Linux Bluetooth stack provides access to the BLE connection interval min and max values through /sys/kernel/debug/bluetooth/hci0/ conn_min_interval and /sys/kernel/debug/bluetooth/hci0/conn_max_interval. These values are used for initial BLE connections, but the remote device has the ability to request a connection parameter update. In the event that the remote side requests to change the connection interval, the Linux kernel currently only validates that the desired value is within the acceptable range in the Bluetooth specification (6 - 3200, corresponding to 7.5ms - 4000ms). There is currently no validation that the desired value requested by the remote device is within the min/max limits specified in the conn_min_interval/conn_max_interval configurations. This essentially leads to Linux yielding complete control over the connection interval to the remote device. The proposed patch adds a verification step to the connection parameter update mechanism, ensuring that the desired value is within the min/max bounds of the current connection. If the desired value is outside of the current connection min/max values, then the connection parameter update request is rejected and the negative response is returned to the remote device. Recall that the initial connection is established using the local conn_min_interval/conn_max_interval values, so this allows the Linux administrator to retain control over the BLE connection interval. The one downside that I see is that the current default Linux values for conn_min_interval and conn_max_interval typically correspond to 30ms and 50ms respectively. If this change were accepted, then it is feasible that some devices would no longer be able to negotiate to their desired connection interval values. This might be remedied by setting the default Linux conn_min_interval and conn_max_interval values to the widest supported range (6 - 3200 / 7.5ms - 4000ms). This could lead to the same behavior as the current implementation, where the remote device could request to change the connection interval value to any value that is permitted by the Bluetooth specification, and Linux would accept the desired value. Signed-off-by: Carey Sonsino Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin --- net/bluetooth/hci_event.c | 5 +++++ net/bluetooth/l2cap_core.c | 9 ++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 363dc85bbc5c..3d2f64a6d623 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -5089,6 +5089,11 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, return send_conn_param_neg_reply(hdev, handle, HCI_ERROR_UNKNOWN_CONN_ID); + if (min < hcon->le_conn_min_interval || + max > hcon->le_conn_max_interval) + return send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_INVALID_LL_PARAMS); + if (hci_check_conn_params(min, max, latency, timeout)) return send_conn_param_neg_reply(hdev, handle, HCI_ERROR_INVALID_LL_PARAMS); diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 0c2219f483d7..4dc1db85a9c2 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -5287,7 +5287,14 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn, memset(&rsp, 0, sizeof(rsp)); - err = hci_check_conn_params(min, max, latency, to_multiplier); + if (min < hcon->le_conn_min_interval || + max > hcon->le_conn_max_interval) { + BT_DBG("requested connection interval exceeds current bounds."); + err = -EINVAL; + } else { + err = hci_check_conn_params(min, max, latency, to_multiplier); + } + if (err) rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED); else -- 2.20.1