Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp350880ybh;
        Mon, 9 Mar 2020 23:27:48 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vsh+y7DOMsjAsVRjjqWcYO5UK2Q+Fhq/E1njMBHJQGnabgh6L/4uFMOBqvbuBAsXl4zlK5X
X-Received: by 2002:a9d:67c3:: with SMTP id c3mr7467580otn.340.1583821668510;
        Mon, 09 Mar 2020 23:27:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1583821668; cv=none;
        d=google.com; s=arc-20160816;
        b=oV3plCl+GRC0WE/NbWs+XBXSxELTLKhH/REnZLsgWcq+RwYBOI+BtTVBVeovNYM81z
         xTHSt/WjtaowLLli9D4b0hJiqeTVvhlvkCT+MQ5txiGxCqwZ2C5SlmqTrLE8Gkq5fIXx
         So9vsmakvpBLa47u5FWi+MG2R34534js/b8saAfYShrPV5F4dodmp16X4TaOtSwlRMi3
         UaCrTI8jCDRbx+JrV5zevkvFxVJRy1t0g77w/KVRFJ1M0ni31K6pvfOK/V9X37gjrSQd
         R97FV3S/GfpYnxq3kP5B9tqitR4c37XeBTtsDtL0bymxnIpiCteDxU1GK1vnHHqOJ/7D
         DrfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=7MymHMIPjwA8vlfgP3l2VtEZj5oz3aMUkf3EFgYY7H0=;
        b=J1SnuOBQCvUsTuSrqDZLrgcEzVd8pJ2exfx0Ei3GEKso+K/9vPnbzO1CHVbx2eKJ99
         SNPxRGowjrpal3DlNNEJXrj9F69My6bOxucxFPbnM+96QQuBqdl20lFQVOiJaylbUFYc
         B7MHlLKEsu5L77wgyA+I3F9uqW+Ey5FVfPCHfw66CbKcz44W8pcYHgZoqS1z7+fvtgDB
         FgIK8vmDEqc8FuZrZ3OXevwfcjQg+S35vlib+VMGRblO1lfm8T2LpqJsZt979Dl+RRM8
         Qh/iutvR6zowlvMgDD5yfgAEPM36m0gEEUTafy4IffMZUFi3Rv93oSVwSbY9f3ggoKTW
         setg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=NAHVLs2f;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h25si2098162otq.53.2020.03.09.23.27.34;
        Mon, 09 Mar 2020 23:27:48 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=NAHVLs2f;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726100AbgCJG12 (ORCPT <rfc822;rolyantrauts@gmail.com>
        + 99 others); Tue, 10 Mar 2020 02:27:28 -0400
Received: from mail-ot1-f65.google.com ([209.85.210.65]:43275 "EHLO
        mail-ot1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725919AbgCJG12 (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Tue, 10 Mar 2020 02:27:28 -0400
Received: by mail-ot1-f65.google.com with SMTP id a6so4203017otb.10
        for <linux-bluetooth@vger.kernel.org>; Mon, 09 Mar 2020 23:27:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=7MymHMIPjwA8vlfgP3l2VtEZj5oz3aMUkf3EFgYY7H0=;
        b=NAHVLs2fpOAhrOmaF2NqxxZpHCrSI6UPv8nm/FNFr2qvbO6RAp7LRiD+3hpQYduLcj
         siKlMb2dwcKCWLeFcvwYkWQq00QcftKDWD4Rmz1dsu72Pd5JPuflM7lkATIN3BBlLK/z
         77CxZM4Gk88VcrQldbGuF0otjR3VXMkMjlKFhMz2lXACKOHHgnkTCinANfVBPFKO4yj9
         PpFrLUkU6NYqD01mgc9u9++6A0o7E2bdiJqoe9Vyy++NAPx7nbdL7E08e0GlxPXseqD1
         pyID+n99ZiCGRgKaD+B9E3v3s7BeZ22volQh434a7c+pmajJhPSfEEdWae0A2i5J8taa
         NCfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=7MymHMIPjwA8vlfgP3l2VtEZj5oz3aMUkf3EFgYY7H0=;
        b=e+YV9vBXZ0mCaBXgeovt/1KVf1N2LHtOtPlwLNv8os1QUMkFcedaIGeZ1PGYESP88f
         OgTTLAj3HYOm4SzFLrhuZ/OYRWXwKz0YcS0pH6vIc36DUL12vqxzHC7riw48PXRNTh2K
         fxMPkS/Ldu3rVg7h0rSWxVnYDu+BylrFRAvu37cZ1iAnSGDOAl91S++hwm+BqliyH5BT
         0Z/YJ8GXDw5U6qAn8VFfSurFezzMCUECjlRyopb+yamBkQF3ggM3pFH/cYqEBarx17lh
         us+HagimdLAz1ZMyBt08WCBBBxz2VwXp40GNKc0IJUXaE5wQ6eZPh6vsgsVBibnjOMqc
         fGGA==
X-Gm-Message-State: ANhLgQ2ndGclcnaMd+YMb0XuW09NhniQCOHeNeE6MCWOgn2Upttj5rKw
        MAinutKENxxjBxiqGciEXRM/q6dcaRLtIjQycgf15NXu
X-Received: by 2002:a9d:53cc:: with SMTP id i12mr11208129oth.11.1583821647433;
 Mon, 09 Mar 2020 23:27:27 -0700 (PDT)
MIME-Version: 1.0
References: <20200310023516.209146-1-alainm@chromium.org> <87A4E633-63CF-4C71-9BF6-916894790EED@holtmann.org>
In-Reply-To: <87A4E633-63CF-4C71-9BF6-916894790EED@holtmann.org>
From:   Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Date:   Mon, 9 Mar 2020 23:27:15 -0700
Message-ID: <CABBYNZKbc71WvOA34cFcKXVRcG-hYedJBT5LeTK9c3+H5Trjwg@mail.gmail.com>
Subject: Re: [BlueZ PATCH 0/2] HID and HOGP connections from non-bonded devices.
To:     Marcel Holtmann <marcel@holtmann.org>
Cc:     Alain Michaud <alainm@chromium.org>,
        Bluez mailing list <linux-bluetooth@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi Marcel,

On Mon, Mar 9, 2020 at 10:26 PM Marcel Holtmann <marcel@holtmann.org> wrote:
>
> Hi Alain,
>
> > It was discovered that BlueZ's HID and HOGP profiles implementations
> > don't specifically require bonding between the device and the host.
> >
> > This creates an opportunity for an malicious device to connect to a
> > target host to either impersonate an existing HID device without
> > security or to cause an SDP or GATT service discovery to take place
> > which would allow HID reports to be injected to the input subsystem from
> > a non-bonded source.
> >
> > This patch series addresses the issue by ensuring that only connections
> > from devices that are bonded are accepted by the HID and HOGP profile
> > implementation.
> >
> > More information about the vulnerability is available here:
> > https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
> >
> > Alain Michaud (2):
> >  HOGP must only accept data from bonded devices.
> >  HID accepts bonded device connections only.
> >
> > profiles/input/device.c   | 23 ++++++++++++++++++++++-
> > profiles/input/device.h   |  1 +
> > profiles/input/hog.c      |  4 ++++
> > profiles/input/input.conf |  8 ++++++++
> > profiles/input/manager.c  | 13 ++++++++++++-
> > 5 files changed, 47 insertions(+), 2 deletions(-)
>
> both patches have been applied.
>
> However I changed BrBondedOnly configuration name into ClassicBondedOnly since that name seemed more obvious to me. The prefix Br has never been used and the Bluetooth SIG started calling it Classic a while back.

Looks like you were quicker than me, anyway I do fill like we should
attempt to bump to security instead of just refuse to connection in
case of HoG since we are the central and the peripheral is not
mandated to started it either it may be just the client application is
attempting to connect to trigger pairing on demand, that would usually
kick latter when reading the characteristics but with this changes it
doesn't even get to that point if the devices was not bonded already.

-- 
Luiz Augusto von Dentz