Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp6352458rwp; Mon, 17 Jul 2023 21:27:10 -0700 (PDT) X-Google-Smtp-Source: APBJJlHUKqGCqmd82rW8el0lHoF1uICL+OGEZ2YoD2WmplmdhKfVdnKbZhmlIVIl9kqMWSH8BG8I X-Received: by 2002:a17:902:d483:b0:1b8:6984:f5e5 with SMTP id c3-20020a170902d48300b001b86984f5e5mr14247010plg.12.1689654430234; Mon, 17 Jul 2023 21:27:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689654430; cv=none; d=google.com; s=arc-20160816; b=QVidaHumgF9WBWBgD+gCwr6pmDREDml2GyDG9gQwvBFa0FBpqiYJWGWjl8PZHFsbno xAGMTC8teNDr/A3SgCP/nM2KoflFPwX7mJ1D2tEmdYge3q6dqz8sgPDeUsi2KcBLvWzp vIQAfyl/yg8+Mtb/tnJQcGP2V5sm30/yKS2m2XTipfiRkQMsHTY6+F6qjuenM3+tgJAU 8gxlcnvox1H6GMHBCQUZG2h6KpZS45CvD1IkGXtDsGZHWVZDothm28s7xWbx2KEjXmkw BQZZdiWEes0KvBN8W4Q4Q+3Q9+fCnRnvxl9FGVYlI9FmaPoN+skbW/cNFsOe/0FCruSJ pJwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from :dkim-signature; bh=IZdp+09RIWAK2Z+OGrivU9Ui9C1GynRgrEwV5eGtimc=; fh=Nm9F2bDIMxgGkUY9cG4VJ0xCcQ+/fDiXZwo9W+B55uI=; b=Jy70pHo4ce8BHZQgYLiuVH3Vhc/pYE0n1DU9bDojt3EgooRXXgjyMg6Gi5DgSIN66v LA+MX3IIYcYR3FGXIr3/Ka1I1zAVYGI5dqwFHEnT7RkzbAXej8BPV0g8FHTTHki60i1m sZZT2bnTOh8yb6ZZ85rbGAGSKqedjj0yBSpUBTZEp4idl6w62+dX1D/bp8ZRUFTwaiKc EsJw8Akxu41JJgww+Ozb5qf26ts2bJ9I8UdOWup9ZzGrSb8WmCJ12odWd9aMgPwUEyab dLV7QYvMeLFGGlVwe5a82BHiUAzeQ+/9Tp5EBIYvUp6G+b0HTPpfQkVsw69EvWKCvMTu PwUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=HwyHVWhJ; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r14-20020a17090a4dce00b00262d819d895si6879500pjl.86.2023.07.17.21.26.44; Mon, 17 Jul 2023 21:27:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=HwyHVWhJ; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230368AbjGRDnp (ORCPT + 99 others); Mon, 17 Jul 2023 23:43:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42538 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230348AbjGRDno (ORCPT ); Mon, 17 Jul 2023 23:43:44 -0400 Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B757410D1; Mon, 17 Jul 2023 20:43:42 -0700 (PDT) Received: by mail-pl1-x631.google.com with SMTP id d9443c01a7336-1b8a8154f9cso32741445ad.1; Mon, 17 Jul 2023 20:43:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689651822; x=1692243822; h=message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=IZdp+09RIWAK2Z+OGrivU9Ui9C1GynRgrEwV5eGtimc=; b=HwyHVWhJSAqEDdZPWTTNDnK1NW00QB6Mf6OmMADWZ+XUuvXB6xVquntN5XQw7lKWyR 1+hYqdxj4zkSr26JeIQJg2/U31HBibDDNH9lFvhcVG1yyev74oV+PwS9hetkVHgHNaeF 1Xxp6bNRBLgIKuboL7pJ/WHt7j2bBjVhqG+Z/PoLznbwAY2+ph414dWQ2cH7DzLvd9fX kKyWfs+uhjN7XSoLzKXC8vf6l10eZeB9q0juf44uGyaG0HU5y/1BI1yAFPiYPAxdQahk IWKog1bJhpWuy8Wb5kRHpYnHW15noFtrlIztqU08HXU3+ylHFO8ZU7zxAdLM/sz69Zvx EUcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689651822; x=1692243822; h=message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=IZdp+09RIWAK2Z+OGrivU9Ui9C1GynRgrEwV5eGtimc=; b=bgLiaeGytL+c567mDK9QUezMkQut1CRQFe7siWDCs7gMW2+no9ra3eEidU48AneJQL rBfCrp54ub+ghY8ao/5McX3+y7rSRaTad/BwA+ND26x/l7TxCP+2oVwc6EhJRQ0v8NvG 8HPMCJBPeuIYtiRacnI+Gat/8vyOBE+rXdeuw8xZ/K9McZBLrJsJTsai45r0t8AlWScA h62yxXLt9Y0SYTxsfGZCVeRzwoPDvEPX6PwtfA7n3lY1QZDVQhragTwenFK6SJriPjcK lsjSSefplPSlj4CrdkBp7L+YEgDLyy3rBC27XkEBkSAO3EG4AHZawkivSaFQslWgwLmn FPRQ== X-Gm-Message-State: ABy/qLYw22fhWOs/CkvhmtTHMXnHCfW11lkpSUKgLdwl/VKiC7AOsSJl WcDkAPggEIPjVtewllE523w= X-Received: by 2002:a17:902:f548:b0:1b7:de50:7d9c with SMTP id h8-20020a170902f54800b001b7de507d9cmr15245504plf.15.1689651821905; Mon, 17 Jul 2023 20:43:41 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id f16-20020a170902ce9000b001b85a56597bsm614741plg.185.2023.07.17.20.43.39 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Jul 2023 20:43:41 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: Marcel Holtmann , Johan Hedberg Cc: "David S . Miller" , linux-kernel@vger.kernel.org, Luiz Augusto von Dentz , Markus Elfring , Dan Carpenter , linux-bluetooth@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH v2] Bluetooth: hci_event: Ignore NULL link key Date: Tue, 18 Jul 2023 11:43:37 +0800 Message-Id: <20230718034337.23502-1-jlee@suse.com> X-Mailer: git-send-email 2.12.3 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org This change is used to relieve CVE-2020-26555. The description of the CVE: Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN. [1] The detail of this attack is in IEEE paper: BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols [2] It's a reflection attack. Base on the paper, attacker can induce the attacked target to generate null link key (zero key) without PIN code. We can ignore null link key in the handler of "Link Key Notification event" to relieve the attack. A similar implementation also shows in btstack project. [3] v2: - Used Link: tag instead of Closes: - Used bt_dev_dbg instead of BT_DBG - Added Fixes: tag Fixes: 55ed8ca10f35 ("Bluetooth: Implement link key handling for the management interface") Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1] Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2] Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3] Signed-off-by: "Lee, Chun-Yi" --- net/bluetooth/hci_event.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 95816a938cea..ff0c331f53d6 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -4684,6 +4684,12 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data, bool persistent; u8 pin_len = 0; + /* Ignore NULL link key against CVE-2020-26555 */ + if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) { + bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR", &ev->bdaddr); + return; + } + bt_dev_dbg(hdev, ""); hci_dev_lock(hdev); -- 2.35.3