Message ID | 20230714161210.20969-1-jlee@suse.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | Bluetooth: hci_event: Ignore NULL link key | expand |
Context | Check | Description |
---|---|---|
tedd_an/pre-ci_am | success | Success |
tedd_an/CheckPatch | warning | WARNING: From:/Signed-off-by: email address mismatch: 'From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>' != 'Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>' total: 0 errors, 1 warnings, 0 checks, 12 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13313835.patch has style problems, please review. NOTE: Ignored message types: UNKNOWN_COMMIT_ID NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS. |
tedd_an/GitLint | fail | WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 23: B1 Line exceeds max length (81>80): "Closes: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]" |
tedd_an/SubjectPrefix | success | Gitlint PASS |
tedd_an/BuildKernel | success | BuildKernel PASS |
tedd_an/CheckAllWarning | success | CheckAllWarning PASS |
tedd_an/CheckSparse | warning | CheckSparse WARNING net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h): |
tedd_an/CheckSmatch | warning | CheckSparse WARNING net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h): |
tedd_an/BuildKernel32 | success | BuildKernel32 PASS |
tedd_an/TestRunnerSetup | success | TestRunnerSetup PASS |
tedd_an/TestRunner_l2cap-tester | success | TestRunner PASS |
tedd_an/TestRunner_iso-tester | success | TestRunner PASS |
tedd_an/TestRunner_bnep-tester | success | TestRunner PASS |
tedd_an/TestRunner_mgmt-tester | success | TestRunner PASS |
tedd_an/TestRunner_rfcomm-tester | success | TestRunner PASS |
tedd_an/TestRunner_sco-tester | success | TestRunner PASS |
tedd_an/TestRunner_ioctl-tester | success | TestRunner PASS |
tedd_an/TestRunner_mesh-tester | success | TestRunner PASS |
tedd_an/TestRunner_smp-tester | success | TestRunner PASS |
tedd_an/TestRunner_userchan-tester | success | TestRunner PASS |
tedd_an/IncrementalBuild | success | Incremental Build PASS |
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=765780 ---Test result--- Test Summary: CheckPatch FAIL 0.94 seconds GitLint FAIL 0.54 seconds SubjectPrefix PASS 0.09 seconds BuildKernel PASS 33.91 seconds CheckAllWarning PASS 36.79 seconds CheckSparse WARNING 41.59 seconds CheckSmatch WARNING 113.49 seconds BuildKernel32 PASS 32.55 seconds TestRunnerSetup PASS 496.37 seconds TestRunner_l2cap-tester PASS 23.35 seconds TestRunner_iso-tester PASS 41.73 seconds TestRunner_bnep-tester PASS 10.61 seconds TestRunner_mgmt-tester PASS 217.91 seconds TestRunner_rfcomm-tester PASS 16.03 seconds TestRunner_sco-tester PASS 16.84 seconds TestRunner_ioctl-tester PASS 17.97 seconds TestRunner_mesh-tester PASS 13.39 seconds TestRunner_smp-tester PASS 14.57 seconds TestRunner_userchan-tester PASS 11.50 seconds IncrementalBuild PASS 31.19 seconds Details ############################## Test: CheckPatch - FAIL Desc: Run checkpatch.pl script Output: Bluetooth: hci_event: Ignore NULL link key WARNING: From:/Signed-off-by: email address mismatch: 'From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>' != 'Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>' total: 0 errors, 1 warnings, 0 checks, 12 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13313835.patch has style problems, please review. NOTE: Ignored message types: UNKNOWN_COMMIT_ID NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS. ############################## Test: GitLint - FAIL Desc: Run gitlint Output: Bluetooth: hci_event: Ignore NULL link key WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 23: B1 Line exceeds max length (81>80): "Closes: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]" ############################## Test: CheckSparse - WARNING Desc: Run sparse tool with linux kernel Output: net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h): ############################## Test: CheckSmatch - WARNING Desc: Run smatch tool with source Output: net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h): --- Regards, Linux Bluetooth
Hi Chun-Yi, On Fri, Jul 14, 2023 at 9:14 AM Lee, Chun-Yi <joeyli.kernel@gmail.com> wrote: > > This change is used to relieve CVE-2020-26555. The description of the > CVE: > > Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification > 1.0B through 5.2 may permit an unauthenticated nearby device to spoof > the BD_ADDR of the peer device to complete pairing without knowledge > of the PIN. [1] > > The detail of this attack is in IEEE paper: > BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols > [2] > > It's a reflection attack. Base on the paper, attacker can induce the > attacked target to generate null link key (zero key) without PIN code. > > We can ignore null link key in the handler of "Link Key Notification > event" to relieve the attack. A similar implementation also shows in > btstack project. [3] > > Closes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1] > Closes: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2] > Closes: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3] Shouldn't the last 2 be using Link: instead? > Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com> > --- > net/bluetooth/hci_event.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index 95816a938cea..e81b8d6c13ba 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -4684,6 +4684,12 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data, > bool persistent; > u8 pin_len = 0; > > + /* Ignore NULL link key against CVE-2020-26555 */ > + if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) { > + BT_DBG("Ignore NULL link key (ZERO KEY) for %pMR", &ev->bdaddr); Please use bt_dev_dbg instead. > + return; > + } > + > bt_dev_dbg(hdev, ""); > > hci_dev_lock(hdev); > -- > 2.35.3 >
Hi Luiz Augusto von Dentz, First, thanks for your review! On Fri, Jul 14, 2023 at 11:44:28AM -0700, Luiz Augusto von Dentz wrote: > Hi Chun-Yi, > > On Fri, Jul 14, 2023 at 9:14 AM Lee, Chun-Yi <joeyli.kernel@gmail.com> wrote: > > > > This change is used to relieve CVE-2020-26555. The description of the > > CVE: > > > > Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification > > 1.0B through 5.2 may permit an unauthenticated nearby device to spoof > > the BD_ADDR of the peer device to complete pairing without knowledge > > of the PIN. [1] > > > > The detail of this attack is in IEEE paper: > > BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols > > [2] > > > > It's a reflection attack. Base on the paper, attacker can induce the > > attacked target to generate null link key (zero key) without PIN code. > > > > We can ignore null link key in the handler of "Link Key Notification > > event" to relieve the attack. A similar implementation also shows in > > btstack project. [3] > > > > Closes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1] > > Closes: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2] > > Closes: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3] > > Shouldn't the last 2 be using Link: instead? > Sorry for I confused Link: with Closes:. I will change all of them to Link: tag > > Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com> > > --- > > net/bluetooth/hci_event.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > > index 95816a938cea..e81b8d6c13ba 100644 > > --- a/net/bluetooth/hci_event.c > > +++ b/net/bluetooth/hci_event.c > > @@ -4684,6 +4684,12 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data, > > bool persistent; > > u8 pin_len = 0; > > > > + /* Ignore NULL link key against CVE-2020-26555 */ > > + if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) { > > + BT_DBG("Ignore NULL link key (ZERO KEY) for %pMR", &ev->bdaddr); > > Please use bt_dev_dbg instead. > I see! I will use bt_dev_dbg. > > + return; > > + } > > + > > bt_dev_dbg(hdev, ""); > > > > hci_dev_lock(hdev); > > -- > > 2.35.3 > > Thanks a lot! Joey Lee
Hi Markus, Thanks for your review! On Fri, Jul 14, 2023 at 10:30:17PM +0200, Markus Elfring wrote: > … > > We can ignore null link key in the handler of "Link Key Notification > > event" to relieve the attack. … > > Are imperative change descriptions still preferred? > > See also: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.5-rc1#n94 > > > How do you think about to add the tag “Fixes” because of > an added case distinction? > Sorry for I didn't capture your point. The "Link Key Notification event" is a term in bluetooth-core spec. What should I change in my patch description? Thanks a lot! Joey Le
Hi Markus, On Mon, Jul 17, 2023 at 08:15:56AM +0200, Markus Elfring wrote: > >> … > >>> We can ignore null link key in the handler of "Link Key Notification > >>> event" to relieve the attack. … > … > > Sorry for I didn't capture your point. > > Did you provide sufficient justification for a possible addition of the tag “Fixes”? > This patch is against a CVE. The issue is not introduced by any old kernel patch. So I think it doesn't need Fixes: tag. > > > What should I change in my patch description? > > I hope that corresponding imperative wordings can become more helpful > also according to another Linux development requirement. > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.5-rc1#n94 > Thanks a lot! Joey LEe
On Mon, Jul 17, 2023 at 06:23:10PM +0800, joeyli wrote: > Hi Markus, > > On Mon, Jul 17, 2023 at 08:15:56AM +0200, Markus Elfring wrote: > > >> … > > >>> We can ignore null link key in the handler of "Link Key Notification > > >>> event" to relieve the attack. … > > … > > > Sorry for I didn't capture your point. > > > > Did you provide sufficient justification for a possible addition of the tag “Fixes”? > > > > This patch is against a CVE. The issue is not introduced by any old kernel > patch. So I think it doesn't need Fixes: tag. You should probably put a Fixes tag against when the feature was introduced. (Kernel's prior to that were not affected by the CVE). regards, dan carpenter
Hi Dan, On Mon, Jul 17, 2023 at 02:25:06PM +0300, Dan Carpenter wrote: > On Mon, Jul 17, 2023 at 06:23:10PM +0800, joeyli wrote: > > Hi Markus, > > > > On Mon, Jul 17, 2023 at 08:15:56AM +0200, Markus Elfring wrote: > > > >> … > > > >>> We can ignore null link key in the handler of "Link Key Notification > > > >>> event" to relieve the attack. … > > > … > > > > Sorry for I didn't capture your point. > > > > > > Did you provide sufficient justification for a possible addition of the tag “Fixes”? > > > > > > > This patch is against a CVE. The issue is not introduced by any old kernel > > patch. So I think it doesn't need Fixes: tag. > > You should probably put a Fixes tag against when the feature was > introduced. (Kernel's prior to that were not affected by the CVE). > OK! I see. I have digged that the link key stored function be introduced by 55ed8ca10f35 since v2.6.39-rc1: commit 55ed8ca10f3530de8edbbf138acb50992bf5005b Author: Johan Hedberg <johan.hedberg@nokia.com> Date: Mon Jan 17 14:41:05 2011 +0200 Bluetooth: Implement link key handling for the management interface I will add Fixes: 55ed8ca10f35 ("Bluetooth: Implement link key handling for the management interface") in next version. Thanks for your and Markus's reminder. Joey Lee
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 95816a938cea..e81b8d6c13ba 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -4684,6 +4684,12 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data, bool persistent; u8 pin_len = 0; + /* Ignore NULL link key against CVE-2020-26555 */ + if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) { + BT_DBG("Ignore NULL link key (ZERO KEY) for %pMR", &ev->bdaddr); + return; + } + bt_dev_dbg(hdev, ""); hci_dev_lock(hdev);
This change is used to relieve CVE-2020-26555. The description of the CVE: Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN. [1] The detail of this attack is in IEEE paper: BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols [2] It's a reflection attack. Base on the paper, attacker can induce the attacked target to generate null link key (zero key) without PIN code. We can ignore null link key in the handler of "Link Key Notification event" to relieve the attack. A similar implementation also shows in btstack project. [3] Closes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1] Closes: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2] Closes: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3] Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com> --- net/bluetooth/hci_event.c | 6 ++++++ 1 file changed, 6 insertions(+)