Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp198895ybh; Mon, 9 Mar 2020 19:36:03 -0700 (PDT) X-Google-Smtp-Source: ADFU+vs4mzpUubBE/Z8TiIqypgmEz+3zsTyzGv9rBRAxxVr/LVEPKQxUKMGgBYP8KFKSl/Xzkwwa X-Received: by 2002:a9d:5551:: with SMTP id h17mr15029436oti.360.1583807763418; Mon, 09 Mar 2020 19:36:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583807763; cv=none; d=google.com; s=arc-20160816; b=NOICdDF2xX9iSuHYJ24njgg8/qXQ6HDau9pHLplq4GThjrJr1loLAkKQZsRWUNxK4p 0oP/kg5h4UBO78WkYYieTfTwcLNIpyUQMsWPqg8I6R00jI0pwQCbCSf7ORxwOF6D1+Lb Eegac0VHxsWIBfwDR6qxcLgU0X77B67BsDAUOymTODN+AsBDJn0qFFBlznHodj4Yz+hC E3orBshaOaTA1PrSgbcuNQuwRoFnZpR6yWyxL9UA+S2C3gVZDX4qoGnCd5cZ72OD3yda Xh9pE7cIsLU9nIBepXnbnHAd6m/eo9+w6Efw0nQxEnOcYA6etuESsIF25HK/YXWVEsh9 Hy2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=wFmpkmWVOfYNHFZngp7S6p8wZvHubM+kgPuBRtA3vO4=; b=uTdckLvTi/7L6VHcUfVMF9pqnEdaMde8YLktqbY5PTYoamS89urxu5x+rbzZAJmNrp 4HUYorwCxZn8EVKbtEr+IWafOUzxamGATmc6giAyGyF8OsJy/+/IihISP48ARiVaxQjI pTlf3nmv4pJBCr9/tHEJkrfnNDqeZqzRH0XsYl3orqTbcgJFA0FLMFOMs4DHVQ+UpT3H PSCSrCcPvRWZqAm1N4rbqf76kpYTDdenp2Yn6zeDN6PtXe/M5bUrU+W7Xv7dnXYdxW0k znLb4Lh5eaTfMa1gv+diV3UZ6xqtPFu315zAWP7iI77o0EzbefEc84qSUm4ORHQgiWn8 5QeA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="Mr8h0B/J"; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p25si7210840oto.168.2020.03.09.19.35.33; Mon, 09 Mar 2020 19:36:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="Mr8h0B/J"; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726610AbgCJCfZ (ORCPT + 99 others); Mon, 9 Mar 2020 22:35:25 -0400 Received: from mail-vk1-f196.google.com ([209.85.221.196]:37019 "EHLO mail-vk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726558AbgCJCfZ (ORCPT ); Mon, 9 Mar 2020 22:35:25 -0400 Received: by mail-vk1-f196.google.com with SMTP id o124so1038353vkc.4 for ; Mon, 09 Mar 2020 19:35:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=wFmpkmWVOfYNHFZngp7S6p8wZvHubM+kgPuBRtA3vO4=; b=Mr8h0B/J+69ezJKfsdeEu8c3BJbsd+x2rsZn0OU5eqpXg6ffqlFHbxEg7RJ5BOY87h NMknIlZd1sG5EMr7Oo/pFtEa+ZSQi3PSi0y+UU3MviDTXuGiwo39OPFaLM0+KLX7wVHe yFuB9Z06xdfR/9BjzAIfnT6X48V19oRlaOknY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=wFmpkmWVOfYNHFZngp7S6p8wZvHubM+kgPuBRtA3vO4=; b=WVluhooVIqDYDGoRyURtwahkboFkceaKc4wBd5fJMVlpEuDf0P9LPg20CitOBpSSd4 BWIuCtgJrOZFoYhKIVNAnNZVo+luIFJwsTonezLt4Pk2XftW+bRj0nb3G0jGh2MYNBBQ E1x8GwtbFMIzPAf+r0eRJNkTjOcIoy9gUjRGv7BSNXmeNW6qfwbg5qKt1b0W32+IpUvU Ve/Mj2RpmvKNTLX9gHc89cqUncBK2dQ2YTkKDKuIx4EP0JDqBPWlwKvB+MWeot93Bmwn fRQpfHqMR5tf01o5j+qkUZ+xtGJKyRBAVqf37yGB0xCnfI0xsLI1Z3Z0hKS/IuvO3II7 85EA== X-Gm-Message-State: ANhLgQ1K6jqjrXcs+gOOn20KJdLVfCVYuDZTol8y4xl58Y0PekxOYg5g X0i/x43gOe1oA77out073ZxNd9KiWC0= X-Received: by 2002:a1f:c686:: with SMTP id w128mr10022483vkf.34.1583807723773; Mon, 09 Mar 2020 19:35:23 -0700 (PDT) Received: from alain.c.googlers.com.com (57.152.190.35.bc.googleusercontent.com. [35.190.152.57]) by smtp.gmail.com with ESMTPSA id p24sm2767024uao.4.2020.03.09.19.35.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Mar 2020 19:35:23 -0700 (PDT) From: Alain Michaud To: linux-bluetooth@vger.kernel.org Cc: Alain Michaud Subject: [BlueZ PATCH 0/2] HID and HOGP connections from non-bonded devices. Date: Tue, 10 Mar 2020 02:35:14 +0000 Message-Id: <20200310023516.209146-1-alainm@chromium.org> X-Mailer: git-send-email 2.25.1.481.gfbce0eb801-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org It was discovered that BlueZ's HID and HOGP profiles implementations don't specifically require bonding between the device and the host. This creates an opportunity for an malicious device to connect to a target host to either impersonate an existing HID device without security or to cause an SDP or GATT service discovery to take place which would allow HID reports to be injected to the input subsystem from a non-bonded source. This patch series addresses the issue by ensuring that only connections from devices that are bonded are accepted by the HID and HOGP profile implementation. More information about the vulnerability is available here: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html Alain Michaud (2): HOGP must only accept data from bonded devices. HID accepts bonded device connections only. profiles/input/device.c | 23 ++++++++++++++++++++++- profiles/input/device.h | 1 + profiles/input/hog.c | 4 ++++ profiles/input/input.conf | 8 ++++++++ profiles/input/manager.c | 13 ++++++++++++- 5 files changed, 47 insertions(+), 2 deletions(-) -- 2.25.1.481.gfbce0eb801-goog