Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp4307202ybi;
        Tue, 18 Jun 2019 15:49:39 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwJWSC57INqScP67G2GjG/3uxurWVlSYmFFaOOkDYC+iU/9YuE+Q1RYfM/TWG15c5it1rXm
X-Received: by 2002:a17:902:e20f:: with SMTP id ce15mr9107515plb.112.1560898179513;
        Tue, 18 Jun 2019 15:49:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1560898179; cv=none;
        d=google.com; s=arc-20160816;
        b=G7cqBZMGjysD2npzV4ZyHmOGc1eWdlW+AHBO84gFiokwbnsTFXNb4FNceKCH+lI7CX
         Rbh0ygk6mNu6TZ3UULwdT+oXd2WUEfzR4kzwrRMgQKlD/66kqIDJQn9grXPh383QzBJL
         M4UfRTKe4qQCBjcI6i+w4lYqKXWG4gQdpzqlehuW7dLEkaPHHHywLUm3sVaCLRWyhxeZ
         /JN9UCWq+b59F2zFSPny0TRcbJ7GUBkESHItDDOW3Zi3bs6FAQb33zz8UxEE6Hceib80
         52Zlr5YLCU+mIJt5nTrhvDaxnPJxmdHuvR56rVW/WOp+c+4NVDa+zYM7pi/zBCLD9Anf
         Cd+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=m8772S93SESJK7k4owiJBKvos4eqPSCTz+wD3Mw1imI=;
        b=CPxvbDABQ0804A/rgy41iOANdyOBTHFCh9fJo7rEfkEggKJSdNyAWZMjt1GngH6NI9
         Lz1lIJ35CgjlfJUamAlLmv/ODSb4XSaTjOOL3rbisxEiXVbSXuZK9Vx1lLb1SbOdpnwY
         61grsFZd0pWwgEKa9W4ekMvCl5dSwjV36aqrW+xXnGP2K9X2hi93Bkjgo/0a8l1j8G1o
         TDYwtRL/brIQ4BdJXgDj9UAQJbmSwr1XoXKVj25Y0kKb2NzX1w6009gV/MePLgUfKg0a
         Sdrxz9TlDKs16SaH+aEGnNx4H2sLZyQbmB/aDHE0vJg/n6m139Xe21QOjUrHwPa9hXKN
         /PVQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@codecoup-pl.20150623.gappssmtp.com header.s=20150623 header.b=mXMRsfFQ;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l97si3571417pje.6.2019.06.18.15.49.08;
        Tue, 18 Jun 2019 15:49:39 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@codecoup-pl.20150623.gappssmtp.com header.s=20150623 header.b=mXMRsfFQ;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730879AbfFRWsk (ORCPT <rfc822;brice.wge@gmail.com> + 99 others);
        Tue, 18 Jun 2019 18:48:40 -0400
Received: from mail-lj1-f194.google.com ([209.85.208.194]:42044 "EHLO
        mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730915AbfFRWsj (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Tue, 18 Jun 2019 18:48:39 -0400
Received: by mail-lj1-f194.google.com with SMTP id t28so1188153lje.9
        for <linux-bluetooth@vger.kernel.org>; Tue, 18 Jun 2019 15:48:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=codecoup-pl.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=m8772S93SESJK7k4owiJBKvos4eqPSCTz+wD3Mw1imI=;
        b=mXMRsfFQJAPYdse+uAWzSKjIfN/Lz/jZT/lIjbTE6baWDexkaNIIuOuBl5NTZgUpxy
         C3WQt7J3dYeE4jKl54hdzuUMT9Ucw+GCY34uHUS5FFgDA6Tt9V3nOswYfqJSlxCBXP74
         v0JcVx6sWmNLaiC40C0PB7Aj8jCZ3tIM73oTcKWHcjkElLZ5SA4+2pXnpTNjSyaJza3Y
         o7djHoGilHU0bLCEnMpkEFSNZ6Y9qf+/ETM3ddInToNTTUIwR3v0ub44HRSYHTOK8V5b
         ygCJpQdMY5Wqx0/Nz5iGR25tUMgneIJk65pUcs4mVOda+6zflGdsIjJqVXZGb7HR0bhj
         I4Hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=m8772S93SESJK7k4owiJBKvos4eqPSCTz+wD3Mw1imI=;
        b=Mb+APMBUzdJS0rwS2InYLHkio4wBWlvVQJdHDMDfLMqurDuNCH6eL6le0IRTXtIlsI
         H+qSb6AvX93/jIyHp9RraCN7rP21XsQvByVwPoT7Y18RP2vsQ3VM2iUqTDUGpPaf6NZM
         G88+U1iAuM4qffdnU2+5xAG46B74dqUXBP8SeYXtn6jrZnjY3e5k7n747hPuqe6B3lkV
         whQj9hWsKTtlF2Pj+N3zkZhz19nR8RI0cP1J4JdHyi9jfuD98ZSrp+4BSmd0WxJROp6o
         UmDqtEeF0K8qGF9i0P7JbHX0jK58sxIVksyjT8lKabdo7HHH5jKBH44kqx3TTu6O8NuZ
         siQw==
X-Gm-Message-State: APjAAAWn8e/FypRimV3Cp2sSRCxEzh+xVcxIAbmPMSP29N1wSf2N8vZd
        qL5brLo27vTEroLJ/IZQzsm+IpBo0iE=
X-Received: by 2002:a2e:3807:: with SMTP id f7mr24271929lja.87.1560898117578;
        Tue, 18 Jun 2019 15:48:37 -0700 (PDT)
Received: from localhost.localdomain (ftth-nat-19.ip4.greenlan.pl. [185.56.210.19])
        by smtp.gmail.com with ESMTPSA id h11sm2398837lfm.14.2019.06.18.15.48.36
        (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
        Tue, 18 Jun 2019 15:48:36 -0700 (PDT)
From:   Szymon Janc <szymon.janc@codecoup.pl>
To:     linux-bluetooth@vger.kernel.org
Cc:     Szymon Janc <szymon.janc@codecoup.pl>,
        Maarten Fonville <maarten.fonville@gmail.com>,
        stable@vger.kernel.org
Subject: [PATCH] Bluetooth: SMP: Workaround Microsoft Surface Precision Mouse bug
Date:   Wed, 19 Jun 2019 00:47:47 +0200
Message-Id: <20190618224747.446-1-szymon.janc@codecoup.pl>
X-Mailer: git-send-email 2.21.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Microsoft Surface Precision Mouse provides bogus identity address when
pairing. It connects with Static Random address but provides Public
Address in SMP Identity Address Information PDU. Address has same
value but type is different. Workaround this by dropping IRK if ID
address discrepancy is detected.

> HCI Event: LE Meta Event (0x3e) plen 19
      LE Connection Complete (0x01)
        Status: Success (0x00)
        Handle: 75
        Role: Master (0x00)
        Peer address type: Random (0x01)
        Peer address: E0:52:33:93:3B:21 (Static)
        Connection interval: 50.00 msec (0x0028)
        Connection latency: 0 (0x0000)
        Supervision timeout: 420 msec (0x002a)
        Master clock accuracy: 0x00

....

> ACL Data RX: Handle 75 flags 0x02 dlen 12
      SMP: Identity Address Information (0x09) len 7
        Address type: Public (0x00)
        Address: E0:52:33:93:3B:21

Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
Tested-by: Maarten Fonville <maarten.fonville@gmail.com>
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199461
Cc: stable@vger.kernel.org
---
 net/bluetooth/smp.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index e68c715f8d37..d528d95a2c27 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2579,6 +2579,20 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
 		goto distribute;
 	}
 
+	/*
+	 * Drop IRK if peer is using identity address during pairing but is
+	 * providing different address as identity information.
+	 *
+	 * Microsoft Surface Precision Mouse is known to have this bug.
+	 */
+	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
+	    (bacmp(&info->bdaddr, &hcon->dst) ||
+	     info->addr_type != hcon->dst_type)) {
+		bt_dev_err(hcon->hdev,
+			   "ignoring IRK with invalid identity address");
+		goto distribute;
+	}
+
 	bacpy(&smp->id_addr, &info->bdaddr);
 	smp->id_addr_type = info->addr_type;
 
-- 
2.21.0