diff options
Diffstat (limited to 'meta/recipes-connectivity')
3 files changed, 180 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index 150d909d73..708fa1ccec 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc | |||
@@ -52,6 +52,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ | |||
52 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ | 52 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ |
53 | file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ | 53 | file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ |
54 | file://0001-test-gatt-Fix-hung-issue.patch \ | 54 | file://0001-test-gatt-Fix-hung-issue.patch \ |
55 | file://CVE-2020-0556-1.patch \ | ||
56 | file://CVE-2020-0556-2.patch \ | ||
55 | " | 57 | " |
56 | S = "${WORKDIR}/bluez-${PV}" | 58 | S = "${WORKDIR}/bluez-${PV}" |
57 | 59 | ||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch new file mode 100644 index 0000000000..a6bf31e14b --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alain Michaud <alainm@chromium.org> | ||
3 | Date: Tue, 10 Mar 2020 02:35:16 +0000 | ||
4 | Subject: [PATCH 1/2] HOGP must only accept data from bonded devices. | ||
5 | |||
6 | HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. | ||
7 | |||
8 | Reference: | ||
9 | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm | ||
10 | |||
11 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1] | ||
12 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
13 | CVE: CVE-2020-0556 | ||
14 | --- | ||
15 | profiles/input/hog.c | 4 ++++ | ||
16 | 1 file changed, 4 insertions(+) | ||
17 | |||
18 | diff --git a/profiles/input/hog.c b/profiles/input/hog.c | ||
19 | index 83c017dcb..dfac68921 100644 | ||
20 | --- a/profiles/input/hog.c | ||
21 | +++ b/profiles/input/hog.c | ||
22 | @@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) | ||
23 | return -EINVAL; | ||
24 | } | ||
25 | |||
26 | + /* HOGP 1.0 Section 6.1 requires bonding */ | ||
27 | + if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) | ||
28 | + return -ECONNREFUSED; | ||
29 | + | ||
30 | /* TODO: Replace GAttrib with bt_gatt_client */ | ||
31 | bt_hog_attach(dev->hog, attrib); | ||
32 | |||
33 | -- | ||
34 | 2.24.1 | ||
35 | |||
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-2.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-2.patch new file mode 100644 index 0000000000..8acb2f15ec --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-2.patch | |||
@@ -0,0 +1,143 @@ | |||
1 | From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alain Michaud <alainm@chromium.org> | ||
3 | Date: Tue, 10 Mar 2020 02:35:18 +0000 | ||
4 | Subject: [PATCH 2/2] HID accepts bonded device connections only. | ||
5 | |||
6 | This change adds a configuration for platforms to choose a more secure | ||
7 | posture for the HID profile. While some older mice are known to not | ||
8 | support pairing or encryption, some platform may choose a more secure | ||
9 | posture by requiring the device to be bonded and require the | ||
10 | connection to be encrypted when bonding is required. | ||
11 | |||
12 | Reference: | ||
13 | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html | ||
14 | |||
15 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787] | ||
16 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
17 | CVE: CVE-2020-0556 | ||
18 | |||
19 | --- | ||
20 | profiles/input/device.c | 23 ++++++++++++++++++++++- | ||
21 | profiles/input/device.h | 1 + | ||
22 | profiles/input/input.conf | 8 ++++++++ | ||
23 | profiles/input/manager.c | 13 ++++++++++++- | ||
24 | 4 files changed, 43 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/profiles/input/device.c b/profiles/input/device.c | ||
27 | index 2cb3811c8..d89da2d7c 100644 | ||
28 | --- a/profiles/input/device.c | ||
29 | +++ b/profiles/input/device.c | ||
30 | @@ -92,6 +92,7 @@ struct input_device { | ||
31 | |||
32 | static int idle_timeout = 0; | ||
33 | static bool uhid_enabled = false; | ||
34 | +static bool classic_bonded_only = false; | ||
35 | |||
36 | void input_set_idle_timeout(int timeout) | ||
37 | { | ||
38 | @@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state) | ||
39 | uhid_enabled = state; | ||
40 | } | ||
41 | |||
42 | +void input_set_classic_bonded_only(bool state) | ||
43 | +{ | ||
44 | + classic_bonded_only = state; | ||
45 | +} | ||
46 | + | ||
47 | static void input_device_enter_reconnect_mode(struct input_device *idev); | ||
48 | static int connection_disconnect(struct input_device *idev, uint32_t flags); | ||
49 | |||
50 | @@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev) | ||
51 | if (device_name_known(idev->device)) | ||
52 | device_get_name(idev->device, req->name, sizeof(req->name)); | ||
53 | |||
54 | + /* Make sure the device is bonded if required */ | ||
55 | + if (classic_bonded_only && !device_is_bonded(idev->device, | ||
56 | + btd_device_get_bdaddr_type(idev->device))) { | ||
57 | + error("Rejected connection from !bonded device %s", dst_addr); | ||
58 | + goto cleanup; | ||
59 | + } | ||
60 | + | ||
61 | /* Encryption is mandatory for keyboards */ | ||
62 | - if (req->subclass & 0x40) { | ||
63 | + /* Some platforms may choose to require encryption for all devices */ | ||
64 | + /* Note that this only matters for pre 2.1 devices as otherwise the */ | ||
65 | + /* device is encrypted by default by the lower layers */ | ||
66 | + if (classic_bonded_only || req->subclass & 0x40) { | ||
67 | if (!bt_io_set(idev->intr_io, &gerr, | ||
68 | BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, | ||
69 | BT_IO_OPT_INVALID)) { | ||
70 | @@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) | ||
71 | DBG("path=%s reconnect_mode=%s", idev->path, | ||
72 | reconnect_mode_to_string(idev->reconnect_mode)); | ||
73 | |||
74 | + /* Make sure the device is bonded if required */ | ||
75 | + if (classic_bonded_only && !device_is_bonded(idev->device, | ||
76 | + btd_device_get_bdaddr_type(idev->device))) | ||
77 | + return; | ||
78 | + | ||
79 | /* Only attempt an auto-reconnect when the device is required to | ||
80 | * accept reconnections from the host. | ||
81 | */ | ||
82 | diff --git a/profiles/input/device.h b/profiles/input/device.h | ||
83 | index 51a9aee18..3044db673 100644 | ||
84 | --- a/profiles/input/device.h | ||
85 | +++ b/profiles/input/device.h | ||
86 | @@ -29,6 +29,7 @@ struct input_conn; | ||
87 | |||
88 | void input_set_idle_timeout(int timeout); | ||
89 | void input_enable_userspace_hid(bool state); | ||
90 | +void input_set_classic_bonded_only(bool state); | ||
91 | |||
92 | int input_device_register(struct btd_service *service); | ||
93 | void input_device_unregister(struct btd_service *service); | ||
94 | diff --git a/profiles/input/input.conf b/profiles/input/input.conf | ||
95 | index 3e1d65aae..166aff4a4 100644 | ||
96 | --- a/profiles/input/input.conf | ||
97 | +++ b/profiles/input/input.conf | ||
98 | @@ -11,3 +11,11 @@ | ||
99 | # Enable HID protocol handling in userspace input profile | ||
100 | # Defaults to false (HIDP handled in HIDP kernel module) | ||
101 | #UserspaceHID=true | ||
102 | + | ||
103 | +# Limit HID connections to bonded devices | ||
104 | +# The HID Profile does not specify that devices must be bonded, however some | ||
105 | +# platforms may want to make sure that input connections only come from bonded | ||
106 | +# device connections. Several older mice have been known for not supporting | ||
107 | +# pairing/encryption. | ||
108 | +# Defaults to false to maximize device compatibility. | ||
109 | +#ClassicBondedOnly=true | ||
110 | diff --git a/profiles/input/manager.c b/profiles/input/manager.c | ||
111 | index 1d31b0652..5cd27b839 100644 | ||
112 | --- a/profiles/input/manager.c | ||
113 | +++ b/profiles/input/manager.c | ||
114 | @@ -96,7 +96,7 @@ static int input_init(void) | ||
115 | config = load_config_file(CONFIGDIR "/input.conf"); | ||
116 | if (config) { | ||
117 | int idle_timeout; | ||
118 | - gboolean uhid_enabled; | ||
119 | + gboolean uhid_enabled, classic_bonded_only; | ||
120 | |||
121 | idle_timeout = g_key_file_get_integer(config, "General", | ||
122 | "IdleTimeout", &err); | ||
123 | @@ -114,6 +114,17 @@ static int input_init(void) | ||
124 | input_enable_userspace_hid(uhid_enabled); | ||
125 | } else | ||
126 | g_clear_error(&err); | ||
127 | + | ||
128 | + classic_bonded_only = g_key_file_get_boolean(config, "General", | ||
129 | + "ClassicBondedOnly", &err); | ||
130 | + | ||
131 | + if (!err) { | ||
132 | + DBG("input.conf: ClassicBondedOnly=%s", | ||
133 | + classic_bonded_only ? "true" : "false"); | ||
134 | + input_set_classic_bonded_only(classic_bonded_only); | ||
135 | + } else | ||
136 | + g_clear_error(&err); | ||
137 | + | ||
138 | } | ||
139 | |||
140 | btd_profile_register(&input_profile); | ||
141 | -- | ||
142 | 2.24.1 | ||
143 | |||