Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1970090ybh; Fri, 17 Jul 2020 06:18:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzjySWnROKb6/F9qVUO1Bsb0r9SnS+u9aYEM3zO26ry+tNFd84SIfU2Hne5Yi2VWXtoS3UQ X-Received: by 2002:a17:906:c259:: with SMTP id bl25mr8402912ejb.303.1594991930489; Fri, 17 Jul 2020 06:18:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594991930; cv=none; d=google.com; s=arc-20160816; b=JeZldY+YdlStcOdgi/X/HNTfr/vFh8enlnVBpVEeWyrqGmU2dG0WMg4ixDxU35HRJ4 uuvODD20dn5jmXypAlzVhdsOhF2S6FrjAWdBpbG+gRB8ePUJ3mSgbtEHpFBi/rwZFaSj 6KfRojfLmcEnIacaVulA169a95qawuhETvluOSKLR2/dnnJkX882GtS3bncbmQCHeODD ygO7biC7pXPPwRMN/KY44WSydz5x3utkR060BREylEzXmucB1O77MIkBO2IyBk3QFAxi ATeaNdBj/bczmd5qfl/uwSZR/R2UiwZqxawbYJWUAE1JZveVi4yJ378e00qi5UpWLLen D56g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=YM/u3gjvM4q2JWx7UhekKDRsr2AbTo4qfrXy3xVIS9k=; b=deqxMHZjTHTYhYaOnDTrCPfBGJH+PbZn/03UtfG2Q2rvIQaYQ0QxngtJ1cxhQelY9V ZsgBDja6RMZP6qpl9QuRjsBJbRW73DROdX//GiDn6Ff8vpohsm+KovXRY/McvVAOf8qu drat10jI/4oaXiIAOWc8NHsIJPUDZScsMuQ6TDsNCY28ZRqKuiuzPpXA/Ed9Uuh+Mw7E 4xng9Q6q2ZxXCdY8yZtt4/LwrlUf2w4Yt4E/ByYOKGEZpS7A080Zz72G1zpirSTILNgm 6eFDvZ3lGQkw1NgGTtWLHMDiKaf+Fa6MpUUHumaza1skKBYEC3U4M78MqTnwBFJLXozn U6jA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="sf/T5sXR"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g14si5272529ejw.376.2020.07.17.06.18.27; Fri, 17 Jul 2020 06:18:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="sf/T5sXR"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726626AbgGQNSD (ORCPT + 99 others); Fri, 17 Jul 2020 09:18:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32962 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726090AbgGQNSD (ORCPT ); Fri, 17 Jul 2020 09:18:03 -0400 Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EBCE7C08C5C0 for ; Fri, 17 Jul 2020 06:18:02 -0700 (PDT) Received: by mail-lj1-x244.google.com with SMTP id j11so12571842ljo.7 for ; Fri, 17 Jul 2020 06:18:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=YM/u3gjvM4q2JWx7UhekKDRsr2AbTo4qfrXy3xVIS9k=; b=sf/T5sXRhkN8YEk+EOhFcH7el1N/kDRdyYraixUm9LORleyvBRdP8ykec29CpkXDZ0 XdWo4qDS1Eb3DhdzVwzo3n7xUQVm7CNj//prYhxniDyOhmZgnDxQq2loH/Q1zmNqNpw1 lB8Qmjes7B8dWb1K+U5rZm9CwsCECVIpnOt3TWQ8DL4f4muqq9Bsc8cf06KfSeuQYX50 2IbpMhKO+GSpgked7oB5bNy8GmbF/7mxtbN+DMyEhnj92oIcfQPJ53kNUUSYjZMYWn8V FX0kTIWd/AuJ37dNa7Ivap7Qnqg8eIGtZoFy5rLiFsUVU4H+aiD9jnatv4aor2jp97pk MGKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=YM/u3gjvM4q2JWx7UhekKDRsr2AbTo4qfrXy3xVIS9k=; b=QmxxRqDhs5D0r2xRtJRmv5QhkPnbHigFUMEfHFyDbQIxK4nQtCfTnw9w6JtibY+NaF 7aS0PgTu6CyfH6h9HsVUphN7k2xrxgQh/gfuaP1eOX6VDQzMB+aOqjcFFPQG0CfnmAS3 6F/VJxy+dgza2KrRKTc15gxRz8bFjvtD7KubI+cCMvTKpvkNVHyfk7klUY4qKIVfnF/r wAqKk4ClT3ecOtpzZZCj2s2xIURUqZ0wwy14fmd/63IK/4Jb4jtamu9VLXwUKz2kdczy vNAvE+66f9dKF+JR07aBN/VArdyDwHOpfySapV4wacM29NitJBNlPK9vui9Cjh5jZUnV WGtQ== X-Gm-Message-State: AOAM533oNhnckTmb2jcg04kH5oDPVcpImLD6D6Fp/0McXr77jqy9Kkkz p0JzMJ75Nsbg6B5BnWkFVI71GuEvN0SqcA7PJkunpw4wdkQ= X-Received: by 2002:a2e:910c:: with SMTP id m12mr4340344ljg.274.1594991881148; Fri, 17 Jul 2020 06:18:01 -0700 (PDT) MIME-Version: 1.0 References: <20200627105437.453053-1-apusaka@google.com> <20200627185320.RFC.v1.1.Icea550bb064a24b89f2217cf19e35b4480a31afd@changeid> <91CFE951-262A-4E83-8550-25445AE84B5A@holtmann.org> <7BBB55E0-FBD9-40C0-80D9-D5E7FC9F80D2@holtmann.org> In-Reply-To: From: Alain Michaud Date: Fri, 17 Jul 2020 09:17:49 -0400 Message-ID: Subject: Re: [RFC PATCH v1 1/2] Bluetooth: queue ACL packets if no handle is found To: Marcel Holtmann Cc: Archie Pusaka , linux-bluetooth , chromeos-bluetooth-upstreaming , Abhishek Pandit-Subedi , "David S. Miller" , Jakub Kicinski , Johan Hedberg , kernel list , netdev Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Marcel, On Fri, Jul 17, 2020 at 2:51 AM Marcel Holtmann wrote= : > > Hi Alain, > > > >>> There is a possibility that an ACL packet is received before we > > >>> receive the HCI connect event for the corresponding handle. If this > > >>> happens, we discard the ACL packet. > > >>> > > >>> Rather than just ignoring them, this patch provides a queue for > > >>> incoming ACL packet without a handle. The queue is processed when > > >>> receiving a HCI connection event. If 2 seconds elapsed without > > >>> receiving the HCI connection event, assume something bad happened > > >>> and discard the queued packet. > > >>> > > >>> Signed-off-by: Archie Pusaka > > >>> Reviewed-by: Abhishek Pandit-Subedi > > >> > > >> so two things up front. I want to hide this behind a HCI_QUIRK_OUT_O= F_ORDER_ACL that a transport driver has to set first. Frankly if this kind = of out-of-order happens on UART or SDIO transports, then something is obvio= usly going wrong. I have no plan to fix up after a fully serialized transpo= rt. > > >> > > >> Secondly, if a transport sets HCI_QUIRK_OUT_OF_ORDER_ACL, then I wan= t this off by default. You can enable it via an experimental setting. The r= eason here is that we have to make it really hard and fail as often as poss= ible so that hardware manufactures and spec writers realize that something = is fundamentally broken here. > > I don't have any objection to making this explicit enable to non serial= ized transports. However, I do wonder what the intention is around making = this off by default. We already know there is a race condition between the= interupt and bulk endpoints over USB, so this can and does happen. Hardwa= re manufaturers can't relly do much about this other than trying to pull th= e interupt endpoint more often, but that's only a workaround, it can't avoi= d it all together. > > > > IMO, this seems like a legitimate fix at the host level and I don't see= any obvious benefits to hide this fix under an experimental feature and ma= ke it more difficult for the customers and system integrators to discover. > > the problem is that this is not a fix. It is papering over a hole and at = best a workaround with both eyes closed and hoping for the best. I am not l= ooking forward for the first security researcher to figure out that they ha= ve a chance to inject an unencrypted packet since we are waiting 2 seconds = for the USB transport to get its act together. I don't think this is the right characterization but I agree, 2 seconds would be too long, it would ideally be no longer than the USB polling interval diff. > > In addition, I think that Luiz attempt to align with the poll intervals i= nside the USB transport directly is a cleaner and more self-contained appro= ach. It also reduces the window of opportunity for any attacker since we ac= tually align the USB transport specific intervals with each other. I'll have to look at Luiz's patch and think through if this really eliminates the problem. If may indeed be a more practical approach to this problem. > > Regards > > Marcel >