summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2020-03-13 09:09:38 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-03-13 23:00:26 +0000
commitbed169a07b04a7dc003958fa309e6ff761f85a72 (patch)
tree12e6c38a7eabf2513f1dfac55e51db47a567308d /meta
parent901a93885fccd2640b1205d84959a4e894f8f224 (diff)
downloadpoky-bed169a07b04a7dc003958fa309e6ff761f85a72.tar.gz
bluez: fix CVE-2020-0556
It was discovered that BlueZ's HID and HOGP profiles implementations don't specifically require bonding between the device and the host. This creates an opportunity for an malicious device to connect to a target host to either impersonate an existing HID device without security or to cause an SDP or GATT service discovery to take place which would allow HID reports to be injected to the input subsystem from a non-bonded source. (From OE-Core rev: d598f8eee0741148416e8660e10c716654205cb5) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5.inc2
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch35
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-2.patch143
3 files changed, 180 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index 150d909d73..708fa1ccec 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -52,6 +52,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
52 ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ 52 ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
53 file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ 53 file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
54 file://0001-test-gatt-Fix-hung-issue.patch \ 54 file://0001-test-gatt-Fix-hung-issue.patch \
55 file://CVE-2020-0556-1.patch \
56 file://CVE-2020-0556-2.patch \
55 " 57 "
56S = "${WORKDIR}/bluez-${PV}" 58S = "${WORKDIR}/bluez-${PV}"
57 59
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch
new file mode 100644
index 0000000000..a6bf31e14b
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch
@@ -0,0 +1,35 @@
1From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001
2From: Alain Michaud <alainm@chromium.org>
3Date: Tue, 10 Mar 2020 02:35:16 +0000
4Subject: [PATCH 1/2] HOGP must only accept data from bonded devices.
5
6HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
7
8Reference:
9https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
10
11Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1]
12Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
13CVE: CVE-2020-0556
14---
15 profiles/input/hog.c | 4 ++++
16 1 file changed, 4 insertions(+)
17
18diff --git a/profiles/input/hog.c b/profiles/input/hog.c
19index 83c017dcb..dfac68921 100644
20--- a/profiles/input/hog.c
21+++ b/profiles/input/hog.c
22@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
23 return -EINVAL;
24 }
25
26+ /* HOGP 1.0 Section 6.1 requires bonding */
27+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
28+ return -ECONNREFUSED;
29+
30 /* TODO: Replace GAttrib with bt_gatt_client */
31 bt_hog_attach(dev->hog, attrib);
32
33--
342.24.1
35
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-2.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-2.patch
new file mode 100644
index 0000000000..8acb2f15ec
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-2.patch
@@ -0,0 +1,143 @@
1From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001
2From: Alain Michaud <alainm@chromium.org>
3Date: Tue, 10 Mar 2020 02:35:18 +0000
4Subject: [PATCH 2/2] HID accepts bonded device connections only.
5
6This change adds a configuration for platforms to choose a more secure
7posture for the HID profile. While some older mice are known to not
8support pairing or encryption, some platform may choose a more secure
9posture by requiring the device to be bonded and require the
10connection to be encrypted when bonding is required.
11
12Reference:
13https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
14
15Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787]
16Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
17CVE: CVE-2020-0556
18
19---
20 profiles/input/device.c | 23 ++++++++++++++++++++++-
21 profiles/input/device.h | 1 +
22 profiles/input/input.conf | 8 ++++++++
23 profiles/input/manager.c | 13 ++++++++++++-
24 4 files changed, 43 insertions(+), 2 deletions(-)
25
26diff --git a/profiles/input/device.c b/profiles/input/device.c
27index 2cb3811c8..d89da2d7c 100644
28--- a/profiles/input/device.c
29+++ b/profiles/input/device.c
30@@ -92,6 +92,7 @@ struct input_device {
31
32 static int idle_timeout = 0;
33 static bool uhid_enabled = false;
34+static bool classic_bonded_only = false;
35
36 void input_set_idle_timeout(int timeout)
37 {
38@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
39 uhid_enabled = state;
40 }
41
42+void input_set_classic_bonded_only(bool state)
43+{
44+ classic_bonded_only = state;
45+}
46+
47 static void input_device_enter_reconnect_mode(struct input_device *idev);
48 static int connection_disconnect(struct input_device *idev, uint32_t flags);
49
50@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
51 if (device_name_known(idev->device))
52 device_get_name(idev->device, req->name, sizeof(req->name));
53
54+ /* Make sure the device is bonded if required */
55+ if (classic_bonded_only && !device_is_bonded(idev->device,
56+ btd_device_get_bdaddr_type(idev->device))) {
57+ error("Rejected connection from !bonded device %s", dst_addr);
58+ goto cleanup;
59+ }
60+
61 /* Encryption is mandatory for keyboards */
62- if (req->subclass & 0x40) {
63+ /* Some platforms may choose to require encryption for all devices */
64+ /* Note that this only matters for pre 2.1 devices as otherwise the */
65+ /* device is encrypted by default by the lower layers */
66+ if (classic_bonded_only || req->subclass & 0x40) {
67 if (!bt_io_set(idev->intr_io, &gerr,
68 BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
69 BT_IO_OPT_INVALID)) {
70@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
71 DBG("path=%s reconnect_mode=%s", idev->path,
72 reconnect_mode_to_string(idev->reconnect_mode));
73
74+ /* Make sure the device is bonded if required */
75+ if (classic_bonded_only && !device_is_bonded(idev->device,
76+ btd_device_get_bdaddr_type(idev->device)))
77+ return;
78+
79 /* Only attempt an auto-reconnect when the device is required to
80 * accept reconnections from the host.
81 */
82diff --git a/profiles/input/device.h b/profiles/input/device.h
83index 51a9aee18..3044db673 100644
84--- a/profiles/input/device.h
85+++ b/profiles/input/device.h
86@@ -29,6 +29,7 @@ struct input_conn;
87
88 void input_set_idle_timeout(int timeout);
89 void input_enable_userspace_hid(bool state);
90+void input_set_classic_bonded_only(bool state);
91
92 int input_device_register(struct btd_service *service);
93 void input_device_unregister(struct btd_service *service);
94diff --git a/profiles/input/input.conf b/profiles/input/input.conf
95index 3e1d65aae..166aff4a4 100644
96--- a/profiles/input/input.conf
97+++ b/profiles/input/input.conf
98@@ -11,3 +11,11 @@
99 # Enable HID protocol handling in userspace input profile
100 # Defaults to false (HIDP handled in HIDP kernel module)
101 #UserspaceHID=true
102+
103+# Limit HID connections to bonded devices
104+# The HID Profile does not specify that devices must be bonded, however some
105+# platforms may want to make sure that input connections only come from bonded
106+# device connections. Several older mice have been known for not supporting
107+# pairing/encryption.
108+# Defaults to false to maximize device compatibility.
109+#ClassicBondedOnly=true
110diff --git a/profiles/input/manager.c b/profiles/input/manager.c
111index 1d31b0652..5cd27b839 100644
112--- a/profiles/input/manager.c
113+++ b/profiles/input/manager.c
114@@ -96,7 +96,7 @@ static int input_init(void)
115 config = load_config_file(CONFIGDIR "/input.conf");
116 if (config) {
117 int idle_timeout;
118- gboolean uhid_enabled;
119+ gboolean uhid_enabled, classic_bonded_only;
120
121 idle_timeout = g_key_file_get_integer(config, "General",
122 "IdleTimeout", &err);
123@@ -114,6 +114,17 @@ static int input_init(void)
124 input_enable_userspace_hid(uhid_enabled);
125 } else
126 g_clear_error(&err);
127+
128+ classic_bonded_only = g_key_file_get_boolean(config, "General",
129+ "ClassicBondedOnly", &err);
130+
131+ if (!err) {
132+ DBG("input.conf: ClassicBondedOnly=%s",
133+ classic_bonded_only ? "true" : "false");
134+ input_set_classic_bonded_only(classic_bonded_only);
135+ } else
136+ g_clear_error(&err);
137+
138 }
139
140 btd_profile_register(&input_profile);
141--
1422.24.1
143