2022-02-01 10:55:54

by Kai Krakow

[permalink] [raw]
Subject: kernel 5.15.17: Spamming dmesg with "Malicious advertising data"

Hello!

Since kernel 5.15.17, dmesg is spammed with the following log,
sometimes multiple times per second:

> Bluetooth: hci0: Malicious advertising data. Stopping processing

This was probably introduced by commit 2de0e6a71ceb056e17e4684dce8b7640367996f9.

I'm not sure which device causes it, and it seems quite useless to
repeat this message without any rate limiting, especially when no
source of the incident is indicated.

I'm suspecting that something is messed up here, and there's not
really any malicious advertising going on. At least, there's a lot of
LE advertising going on but that looks sane:

```
> HCI Event: LE Meta Event (0x3e) plen 40 #63 [hci0] 3.466120
LE Advertising Report (0x02)
Num reports: 1
Event type: Non connectable undirected - ADV_NONCONN_IND (0x03)
Address type: Public (0x00)
Address: F8:04:2E:8A:20:C1 (SAMSUNG ELECTRO-MECHANICS(THAILAND))
Data length: 28
Company: Samsung Electronics Co. Ltd. (117)
Data: 42040180aef8042e8a20c1fa042e8a20c001000000000000
RSSI: -68 dBm (0xbc)
> HCI Event: LE Meta Event (0x3e) plen 40 #64 [hci0] 3.469127
LE Advertising Report (0x02)
Num reports: 1
Event type: Connectable undirected - ADV_IND (0x00)
Address type: Public (0x00)
Address: 74:AC:B9:41:D2:23 (Ubiquiti Networks Inc.)
Data length: 28
128-bit Service UUIDs (partial): 1 entry
Vendor specific
Service Data (UUID 0x252a): 74acb941d21c
RSSI: -37 dBm (0xdb)
> HCI Event: LE Meta Event (0x3e) plen 40 #65 [hci0] 3.540118
LE Advertising Report (0x02)
Num reports: 1
Event type: Scannable undirected - ADV_SCAN_IND (0x02)
Address type: Random (0x01)
Address: 53:F3:43:9B:9D:13 (Resolvable)
Data length: 28
16-bit Service UUIDs (complete): 1 entry
Google (0xfe9f)
Service Data (UUID 0xfe9f): 0000000000000000000000000000000000000000
RSSI: -70 dBm (0xba)
> HCI Event: LE Meta Event (0x3e) plen 40 #66 [hci0] 3.596124
LE Advertising Report (0x02)
Num reports: 1
Event type: Non connectable undirected - ADV_NONCONN_IND (0x03)
Address type: Public (0x00)
Address: 68:72:C3:A0:AA:75 (Samsung Electronics Co.,Ltd)
Data length: 28
Company: Samsung Electronics Co. Ltd. (117)
Data: 420401806e6872c3a0aa756a72c3a0aa7401000000000000
RSSI: -55 dBm (0xc9)
```

System info:

> Linux jupiter 5.15.17-gentoo #1 SMP PREEMPT Sat Jan 29 07:32:24 CET 2022 x86_64 12th Gen Intel(R) Core(TM) i7-12700K GenuineIntel GNU/Linux
> Bluetooth monitor ver 5.63
> = Note: Linux version 5.15.17-gentoo (x86_64) 0.256208
> = Note: Bluetooth subsystem version 2.22 0.256210
> = New Index: 00:1A:7D:DA:71:15 (Primary,USB,hci0) [hci0] 0.256211
> = Open Index: 00:1A:7D:DA:71:15 [hci0] 0.256212
> = Index Info: 00:1A:7D:DA:71:15 (Cambridge Silicon Radio) [hci0] 0.256212
> @ MGMT Open: bluetoothd (privileged) version 1.21 {0x0001} 0.256213


Regards,
Kai


2022-02-01 20:41:30

by Pavel Skripkin

[permalink] [raw]
Subject: Re: kernel 5.15.17: Spamming dmesg with "Malicious advertising data"

Hi Kai,

On 1/30/22 18:02, Kai Krakow wrote:
> Hello!
>
> Since kernel 5.15.17, dmesg is spammed with the following log,
> sometimes multiple times per second:
>
>> Bluetooth: hci0: Malicious advertising data. Stopping processing

Thanks for the report.

It's caused by one of my patches. Can you, please, try [1] and see if it
works for you. It looks like we just need to backport that patch to fix
the problem in stable kernels.


I am sorry for these false-positive messages :(


[1]
https://lore.kernel.org/linux-bluetooth/[email protected]/




With regards,
Pavel Skripkin

2022-02-01 20:50:48

by Kai Krakow

[permalink] [raw]
Subject: Re: kernel 5.15.17: Spamming dmesg with "Malicious advertising data"

Hey Pavel!

Am Mo., 31. Jan. 2022 um 15:59 Uhr schrieb Pavel Skripkin
<[email protected]>:
>
> Hi Kai,
>
> On 1/30/22 18:02, Kai Krakow wrote:
> > Hello!
> >
> > Since kernel 5.15.17, dmesg is spammed with the following log,
> > sometimes multiple times per second:
> >
> >> Bluetooth: hci0: Malicious advertising data. Stopping processing
>
> Thanks for the report.
>
> It's caused by one of my patches. Can you, please, try [1] and see if it
> works for you. It looks like we just need to backport that patch to fix
> the problem in stable kernels.

I can confirm it's fixing the issue for 5.15.18, thanks. You can add
my Tested-by.


> I am sorry for these false-positive messages :(

NP


> [1]
> https://lore.kernel.org/linux-bluetooth/[email protected]/

Regards,
Kai