Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp440895rwb; Thu, 27 Jul 2023 15:33:29 -0700 (PDT) X-Google-Smtp-Source: APBJJlH8iHyQ0rlxYRVrevY1cN28fQDqyx+B+VcRmNuKF/JrcKXD0Icy+X5GowWLanotfoTB6gTi X-Received: by 2002:a5d:40ce:0:b0:314:1313:c3d6 with SMTP id b14-20020a5d40ce000000b003141313c3d6mr334142wrq.33.1690497208894; Thu, 27 Jul 2023 15:33:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690497208; cv=none; d=google.com; s=arc-20160816; b=gdjYPsB5aV6uLIjmKiBByw0azQen4lqep/hkMFlnKKwoVAIxSstCsJZPM3yWnuMrk4 cFlpn+C8vAOfVXynV3a4LCB6H75m5tqUW3Ysy8uqxxgge2BCGe5lpcDXUJx8dzIal832 2puszBYI/jUuWgxByyEz/fA3947k8QIHmIiHGB/ooM1QZsbjw2bW+jLz8wp5/cojIz9M wyTxasFeRe+08kTRv6LtlWh9oIGOJea2vcdYAgY3LV1bb9LgtNssWOQhtB1Jw6E15Wpz elSGYIsH4zxRRzZ5+oszBB6c9kLPRrl77bytOWS+VFw/S6trIMydx3N3ZO+EQ9BoykJ4 jwuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Wf1VfD2mrsoeJHi9af8lkNzG5SBTTSXYfrfwad1NxqQ=; fh=Vda/E9ZDtMHRnUADbZNYly0CeX3jm5xI4VOgCY4I7yY=; b=LBlh5cxjIeeGv8HmhclRGH/7kobZI6tgDt0BnpDR4vH4BHNGOWbkaDVTLrURdzi3Py GMOgTHe79INwkaf4rZz94nVvbtKyXroTZeV29Ld+xgVJcQwnA5jwv8aAvt5/GurX/4TK gtQOiyqqHaxDdaWq7w3YiygRTvGePC+rusRNnY7CpNyQmMCFomOePZKhVNZInsbgKXsR jfM2C33Zt/smWt62daluaQI6EUjysd8At4hvulRx0cjr+DV/DSQfgTO2zovgIWHpOYbB b5u1JAn7GlgLnu+gR/NOn/ymWbLex7vP6IrgsoaNzFLE7M6NV1cmJ1S66jNj5avqA39p M2+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=Sk86zoXZ; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bm8-20020a0564020b0800b005219e374aaesi1589661edb.119.2023.07.27.15.32.44; Thu, 27 Jul 2023 15:33:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=Sk86zoXZ; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232553AbjG0WaA (ORCPT + 99 others); Thu, 27 Jul 2023 18:30:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45336 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232226AbjG0W36 (ORCPT ); Thu, 27 Jul 2023 18:29:58 -0400 Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F3BE82696; Thu, 27 Jul 2023 15:29:56 -0700 (PDT) Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-2b6f97c7115so24152701fa.2; Thu, 27 Jul 2023 15:29:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690496995; x=1691101795; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Wf1VfD2mrsoeJHi9af8lkNzG5SBTTSXYfrfwad1NxqQ=; b=Sk86zoXZky8KTz19W03fhhjpebEf3oFjFutbH0n3MHxGFraphpEv2PoFdVNv1b1ALp 4ViJcDwJQ/kqNqFEAYbT3BJKFqpbKqO+Cw/m0Kfb6XqmCw4TDi2KnLcRHuoUwhn3c935 E6R8qUjBzC3AJ9GoTe67aCcule9m37mtHkKag3YXic21V7JnqI+CDbNUqreCGh0fDXI4 raOjaVlb4Dv718+TSlDUEvV3u8W9PlI3GLP51JyrkdkBnyl6rYTPYLf1CPjvJS9OMPdz 53ibbng7gqRgES8SXHJ9/tevL4kPTuA2jckS855FK9pbGFU93YJb/y4SYzOiYES7074R vZ+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690496995; x=1691101795; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Wf1VfD2mrsoeJHi9af8lkNzG5SBTTSXYfrfwad1NxqQ=; b=XJnZo+mCgtq/zksbWnX0uPEJH48sS2oDrpmBfFcQnhBBgND+us/Ucu6UaoCyH1oCz7 vDuwoD7k/IvqHkJqSTnScLm6r6cVqIwOQvWdDJcoDf+UHyQoXWNrf9mGfhpHKVLgVvP8 jijiAOf3uTeb/KnKysu61ZoZXGOATrzueFxnSqgsNN+y4FWoX0yS4Dhvt0TTCxXxMpV9 BOfeb1Sc498zlX3xxHrS7QQE3+51DkojOBzJYl88Lm+RSq3IqYKVEFpjqQPnq7Zrir3g SkfiiNdkiWF0BC0kiwmJM2Qhoz53AT3X6/tpqCObexXCbBO5pigKwTnD0qI6CrPjf2zC x2UQ== X-Gm-Message-State: ABy/qLZCCUb2JZgthBPpfrwylBOZYwJnBOQ1HcTErpm51YdJNy6N3ehZ pGXsPy4/kmbKrzd7lGCCEuuZ2rl/KpNFsa1V4gI= X-Received: by 2002:a2e:9f42:0:b0:2b6:bc30:7254 with SMTP id v2-20020a2e9f42000000b002b6bc307254mr269783ljk.13.1690496994820; Thu, 27 Jul 2023 15:29:54 -0700 (PDT) MIME-Version: 1.0 References: <20230718034337.23502-1-jlee@suse.com> <20230719154918.GJ14791@linux-l9pv.suse> In-Reply-To: From: Luiz Augusto von Dentz Date: Thu, 27 Jul 2023 15:29:42 -0700 Message-ID: Subject: Re: [PATCH v2] Bluetooth: hci_event: Ignore NULL link key To: joeyli Cc: "Lee, Chun-Yi" , Marcel Holtmann , Johan Hedberg , "David S . Miller" , linux-kernel@vger.kernel.org, Markus Elfring , Dan Carpenter , linux-bluetooth@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Joeyli, On Wed, Jul 19, 2023 at 5:25=E2=80=AFPM Luiz Augusto von Dentz wrote: > > Hi Joeyli, > > On Wed, Jul 19, 2023 at 8:49=E2=80=AFAM joeyli wrote: > > > > Hi Luiz Augusto von Dentz, > > > > On Tue, Jul 18, 2023 at 10:22:26AM -0700, Luiz Augusto von Dentz wrote: > > > Hi Chun-Yi, > > > > > > On Mon, Jul 17, 2023 at 8:43=E2=80=AFPM Lee, Chun-Yi wrote: > > > > > > > > This change is used to relieve CVE-2020-26555. The description of t= he > > > > CVE: > > > > > > > > Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specific= ation > > > > 1.0B through 5.2 may permit an unauthenticated nearby device to spo= of > > > > the BD_ADDR of the peer device to complete pairing without knowledg= e > > > > of the PIN. [1] > > > > > > Btw, it is probably worth mentioning that in BR/EDR the key generatio= n > > > is actually handled in the controller, below HCI. > > > > > > > Yes, the key generation be handled by link manager. I will mention it > > in patch description. > > > > > > The detail of this attack is in IEEE paper: > > > > BlueMirror: Reflections on Bluetooth Pairing and Provisioning Proto= cols > > > > [2] > > > > > > > > It's a reflection attack. Base on the paper, attacker can induce th= e > > > > attacked target to generate null link key (zero key) without PIN co= de. > > > > > > > > We can ignore null link key in the handler of "Link Key Notificatio= n > > > > event" to relieve the attack. A similar implementation also shows i= n > > > > btstack project. [3] > > > > > > Perhaps we could clarify this statement by stating that if we ignore > > > the link key it means the stack will not consider the device is bonde= d > > > and will not persist the link key, that said the controller will stil= l > > > consider it as paired, so I perhaps we should go one step forward and > > > disconnect if we detect such a key is being used. > > > > > > > I am new on bluetooth field. Did you mean like this patch? Sending > > HCI_Disconnect when we found zero link key? > > > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > > index ff0c331f53d6..3482031cbbb8 100644 > > --- a/net/bluetooth/hci_event.c > > +++ b/net/bluetooth/hci_event.c > > @@ -4698,6 +4700,15 @@ static void hci_link_key_notify_evt(struct hci_d= ev *hdev, void *data, > > if (!conn) > > goto unlock; > > > > + /* Ignore NULL link key against CVE-2020-26555 */ > > + if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) { > > + bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %= pMR", &ev->bdaddr); > > + hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); > > + hci_conn_drop(conn); > > + goto unlock; > > + } > > Yeah, something like that should do it, btw I hope you are testing > these changes do actually work properly, even better if you could > introduce a test into the likes of mgmt-tester to generate a ZERO_KEY > so we are not caught by surprise if something doesn't quite work as > expected, or some change cause a regression where this key is accepted > again. Are you still planning on updating these changes so we can apply it? > > hci_conn_hold(conn); > > conn->disc_timeout =3D HCI_DISCONN_TIMEOUT; > > hci_conn_drop(conn); > > > > > > Is there anything I'm missing? Thanks a lot! > > > > > > v2: > > > > - Used Link: tag instead of Closes: > > > > - Used bt_dev_dbg instead of BT_DBG > > > > - Added Fixes: tag > > > > > > > > Fixes: 55ed8ca10f35 ("Bluetooth: Implement link key handling for th= e management interface") > > > > Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2020-265= 55 [1] > > > > Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors= #authors [2] > > > > Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#= L3722 [3] > > > > Signed-off-by: "Lee, Chun-Yi" > > > > --- > > > > net/bluetooth/hci_event.c | 6 ++++++ > > > > 1 file changed, 6 insertions(+) > > > > > > > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > > > > index 95816a938cea..ff0c331f53d6 100644 > > > > --- a/net/bluetooth/hci_event.c > > > > +++ b/net/bluetooth/hci_event.c > > > > @@ -4684,6 +4684,12 @@ static void hci_link_key_notify_evt(struct h= ci_dev *hdev, void *data, > > > > bool persistent; > > > > u8 pin_len =3D 0; > > > > > > > > + /* Ignore NULL link key against CVE-2020-26555 */ > > > > + if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) { > > > > + bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) f= or %pMR", &ev->bdaddr); > > > > + return; > > > > + } > > > > + > > > > bt_dev_dbg(hdev, ""); > > > > > > > > hci_dev_lock(hdev); > > > > -- > > > > 2.35.3 > > > > > > > > Thanks a lot! > > Joey Lee > > > > -- > Luiz Augusto von Dentz --=20 Luiz Augusto von Dentz