summary refs log tree commit diff
path: root/gnu/packages/patches/bluez-CVE-2020-0556.patch
blob: 7c34459a3ae49e402a66bf902f427826874e98b5 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
Fix CVE-2020-0556:

https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556

Patches copied from upstream source repository:

https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1

From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001
From: Alain Michaud <alainm@chromium.org>
Date: Tue, 10 Mar 2020 02:35:18 +0000
Subject: [PATCH] HID accepts bonded device connections only.

This change adds a configuration for platforms to choose a more secure
posture for the HID profile.  While some older mice are known to not
support pairing or encryption, some platform may choose a more secure
posture by requiring the device to be bonded  and require the
connection to be encrypted when bonding is required.

Reference:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
---
 profiles/input/device.c   | 23 ++++++++++++++++++++++-
 profiles/input/device.h   |  1 +
 profiles/input/input.conf |  8 ++++++++
 profiles/input/manager.c  | 13 ++++++++++++-
 4 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/profiles/input/device.c b/profiles/input/device.c
index 2cb3811c8..d89da2d7c 100644
--- a/profiles/input/device.c
+++ b/profiles/input/device.c
@@ -92,6 +92,7 @@ struct input_device {
 
 static int idle_timeout = 0;
 static bool uhid_enabled = false;
+static bool classic_bonded_only = false;
 
 void input_set_idle_timeout(int timeout)
 {
@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
 	uhid_enabled = state;
 }
 
+void input_set_classic_bonded_only(bool state)
+{
+	classic_bonded_only = state;
+}
+
 static void input_device_enter_reconnect_mode(struct input_device *idev);
 static int connection_disconnect(struct input_device *idev, uint32_t flags);
 
@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
 	if (device_name_known(idev->device))
 		device_get_name(idev->device, req->name, sizeof(req->name));
 
+	/* Make sure the device is bonded if required */
+	if (classic_bonded_only && !device_is_bonded(idev->device,
+				btd_device_get_bdaddr_type(idev->device))) {
+		error("Rejected connection from !bonded device %s", dst_addr);
+		goto cleanup;
+	}
+
 	/* Encryption is mandatory for keyboards */
-	if (req->subclass & 0x40) {
+	/* Some platforms may choose to require encryption for all devices */
+	/* Note that this only matters for pre 2.1 devices as otherwise the */
+	/* device is encrypted by default by the lower layers */
+	if (classic_bonded_only || req->subclass & 0x40) {
 		if (!bt_io_set(idev->intr_io, &gerr,
 					BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
 					BT_IO_OPT_INVALID)) {
@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
 	DBG("path=%s reconnect_mode=%s", idev->path,
 				reconnect_mode_to_string(idev->reconnect_mode));
 
+	/* Make sure the device is bonded if required */
+	if (classic_bonded_only && !device_is_bonded(idev->device,
+				btd_device_get_bdaddr_type(idev->device)))
+		return;
+
 	/* Only attempt an auto-reconnect when the device is required to
 	 * accept reconnections from the host.
 	 */
diff --git a/profiles/input/device.h b/profiles/input/device.h
index 51a9aee18..3044db673 100644
--- a/profiles/input/device.h
+++ b/profiles/input/device.h
@@ -29,6 +29,7 @@ struct input_conn;
 
 void input_set_idle_timeout(int timeout);
 void input_enable_userspace_hid(bool state);
+void input_set_classic_bonded_only(bool state);
 
 int input_device_register(struct btd_service *service);
 void input_device_unregister(struct btd_service *service);
diff --git a/profiles/input/input.conf b/profiles/input/input.conf
index 3e1d65aae..166aff4a4 100644
--- a/profiles/input/input.conf
+++ b/profiles/input/input.conf
@@ -11,3 +11,11 @@
 # Enable HID protocol handling in userspace input profile
 # Defaults to false (HIDP handled in HIDP kernel module)
 #UserspaceHID=true
+
+# Limit HID connections to bonded devices
+# The HID Profile does not specify that devices must be bonded, however some
+# platforms may want to make sure that input connections only come from bonded
+# device connections. Several older mice have been known for not supporting
+# pairing/encryption.
+# Defaults to false to maximize device compatibility.
+#ClassicBondedOnly=true
diff --git a/profiles/input/manager.c b/profiles/input/manager.c
index 1d31b0652..5cd27b839 100644
--- a/profiles/input/manager.c
+++ b/profiles/input/manager.c
@@ -96,7 +96,7 @@ static int input_init(void)
 	config = load_config_file(CONFIGDIR "/input.conf");
 	if (config) {
 		int idle_timeout;
-		gboolean uhid_enabled;
+		gboolean uhid_enabled, classic_bonded_only;
 
 		idle_timeout = g_key_file_get_integer(config, "General",
 							"IdleTimeout", &err);
@@ -114,6 +114,17 @@ static int input_init(void)
 			input_enable_userspace_hid(uhid_enabled);
 		} else
 			g_clear_error(&err);
+
+		classic_bonded_only = g_key_file_get_boolean(config, "General",
+						"ClassicBondedOnly", &err);
+
+		if (!err) {
+			DBG("input.conf: ClassicBondedOnly=%s",
+					classic_bonded_only ? "true" : "false");
+			input_set_classic_bonded_only(classic_bonded_only);
+		} else
+			g_clear_error(&err);
+
 	}
 
 	btd_profile_register(&input_profile);
-- 
2.25.1

From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001
From: Alain Michaud <alainm@chromium.org>
Date: Tue, 10 Mar 2020 02:35:16 +0000
Subject: [PATCH] HOGP must only accept data from bonded devices.

HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.

Reference:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
---
 profiles/input/hog.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/profiles/input/hog.c b/profiles/input/hog.c
index 83c017dcb..dfac68921 100644
--- a/profiles/input/hog.c
+++ b/profiles/input/hog.c
@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
 			return -EINVAL;
 	}
 
+	/* HOGP 1.0 Section 6.1 requires bonding */
+	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
+		return -ECONNREFUSED;
+
 	/* TODO: Replace GAttrib with bt_gatt_client */
 	bt_hog_attach(dev->hog, attrib);
 
-- 
2.25.1