This change is used to relieve CVE-2020-26555. The description of the
CVE:
Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
1.0B through 5.2 may permit an unauthenticated nearby device to spoof
the BD_ADDR of the peer device to complete pairing without knowledge
of the PIN. [1]
The detail of this attack is in IEEE paper:
BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
[2]
It's a reflection attack. Base on the paper, attacker can induce the
attacked target to generate null link key (zero key) without PIN code.
We can ignore null link key in the handler of "Link Key Notification
event" to relieve the attack. A similar implementation also shows in
btstack project. [3]
Closes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
Closes: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
Closes: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
Signed-off-by: "Lee, Chun-Yi" <[email protected]>
---
net/bluetooth/hci_event.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 95816a938cea..e81b8d6c13ba 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4684,6 +4684,12 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
bool persistent;
u8 pin_len = 0;
+ /* Ignore NULL link key against CVE-2020-26555 */
+ if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
+ BT_DBG("Ignore NULL link key (ZERO KEY) for %pMR", &ev->bdaddr);
+ return;
+ }
+
bt_dev_dbg(hdev, "");
hci_dev_lock(hdev);
--
2.35.3
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=765780
---Test result---
Test Summary:
CheckPatch FAIL 0.94 seconds
GitLint FAIL 0.54 seconds
SubjectPrefix PASS 0.09 seconds
BuildKernel PASS 33.91 seconds
CheckAllWarning PASS 36.79 seconds
CheckSparse WARNING 41.59 seconds
CheckSmatch WARNING 113.49 seconds
BuildKernel32 PASS 32.55 seconds
TestRunnerSetup PASS 496.37 seconds
TestRunner_l2cap-tester PASS 23.35 seconds
TestRunner_iso-tester PASS 41.73 seconds
TestRunner_bnep-tester PASS 10.61 seconds
TestRunner_mgmt-tester PASS 217.91 seconds
TestRunner_rfcomm-tester PASS 16.03 seconds
TestRunner_sco-tester PASS 16.84 seconds
TestRunner_ioctl-tester PASS 17.97 seconds
TestRunner_mesh-tester PASS 13.39 seconds
TestRunner_smp-tester PASS 14.57 seconds
TestRunner_userchan-tester PASS 11.50 seconds
IncrementalBuild PASS 31.19 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
Bluetooth: hci_event: Ignore NULL link key
WARNING: From:/Signed-off-by: email address mismatch: 'From: "Lee, Chun-Yi" <[email protected]>' != 'Signed-off-by: "Lee, Chun-Yi" <[email protected]>'
total: 0 errors, 1 warnings, 0 checks, 12 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13313835.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: hci_event: Ignore NULL link key
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
23: B1 Line exceeds max length (81>80): "Closes: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]"
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h):
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h):
---
Regards,
Linux Bluetooth
Hi Chun-Yi,
On Fri, Jul 14, 2023 at 9:14 AM Lee, Chun-Yi <[email protected]> wrote:
>
> This change is used to relieve CVE-2020-26555. The description of the
> CVE:
>
> Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
> 1.0B through 5.2 may permit an unauthenticated nearby device to spoof
> the BD_ADDR of the peer device to complete pairing without knowledge
> of the PIN. [1]
>
> The detail of this attack is in IEEE paper:
> BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
> [2]
>
> It's a reflection attack. Base on the paper, attacker can induce the
> attacked target to generate null link key (zero key) without PIN code.
>
> We can ignore null link key in the handler of "Link Key Notification
> event" to relieve the attack. A similar implementation also shows in
> btstack project. [3]
>
> Closes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
> Closes: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
> Closes: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
Shouldn't the last 2 be using Link: instead?
> Signed-off-by: "Lee, Chun-Yi" <[email protected]>
> ---
> net/bluetooth/hci_event.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index 95816a938cea..e81b8d6c13ba 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -4684,6 +4684,12 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
> bool persistent;
> u8 pin_len = 0;
>
> + /* Ignore NULL link key against CVE-2020-26555 */
> + if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
> + BT_DBG("Ignore NULL link key (ZERO KEY) for %pMR", &ev->bdaddr);
Please use bt_dev_dbg instead.
> + return;
> + }
> +
> bt_dev_dbg(hdev, "");
>
> hci_dev_lock(hdev);
> --
> 2.35.3
>
--
Luiz Augusto von Dentz
Hi Luiz Augusto von Dentz,
First, thanks for your review!
On Fri, Jul 14, 2023 at 11:44:28AM -0700, Luiz Augusto von Dentz wrote:
> Hi Chun-Yi,
>
> On Fri, Jul 14, 2023 at 9:14 AM Lee, Chun-Yi <[email protected]> wrote:
> >
> > This change is used to relieve CVE-2020-26555. The description of the
> > CVE:
> >
> > Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
> > 1.0B through 5.2 may permit an unauthenticated nearby device to spoof
> > the BD_ADDR of the peer device to complete pairing without knowledge
> > of the PIN. [1]
> >
> > The detail of this attack is in IEEE paper:
> > BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
> > [2]
> >
> > It's a reflection attack. Base on the paper, attacker can induce the
> > attacked target to generate null link key (zero key) without PIN code.
> >
> > We can ignore null link key in the handler of "Link Key Notification
> > event" to relieve the attack. A similar implementation also shows in
> > btstack project. [3]
> >
> > Closes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
> > Closes: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
> > Closes: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
>
> Shouldn't the last 2 be using Link: instead?
>
Sorry for I confused Link: with Closes:. I will change all of them to Link: tag
> > Signed-off-by: "Lee, Chun-Yi" <[email protected]>
> > ---
> > net/bluetooth/hci_event.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > index 95816a938cea..e81b8d6c13ba 100644
> > --- a/net/bluetooth/hci_event.c
> > +++ b/net/bluetooth/hci_event.c
> > @@ -4684,6 +4684,12 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
> > bool persistent;
> > u8 pin_len = 0;
> >
> > + /* Ignore NULL link key against CVE-2020-26555 */
> > + if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
> > + BT_DBG("Ignore NULL link key (ZERO KEY) for %pMR", &ev->bdaddr);
>
> Please use bt_dev_dbg instead.
>
I see! I will use bt_dev_dbg.
> > + return;
> > + }
> > +
> > bt_dev_dbg(hdev, "");
> >
> > hci_dev_lock(hdev);
> > --
> > 2.35.3
> >
Thanks a lot!
Joey Lee