blob: a6bf31e14bb5f73713fb8da3164c36be807ad3f7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001
From: Alain Michaud <alainm@chromium.org>
Date: Tue, 10 Mar 2020 02:35:16 +0000
Subject: [PATCH 1/2] HOGP must only accept data from bonded devices.
HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
Reference:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
CVE: CVE-2020-0556
---
profiles/input/hog.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/profiles/input/hog.c b/profiles/input/hog.c
index 83c017dcb..dfac68921 100644
--- a/profiles/input/hog.c
+++ b/profiles/input/hog.c
@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
return -EINVAL;
}
+ /* HOGP 1.0 Section 6.1 requires bonding */
+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
+ return -ECONNREFUSED;
+
/* TODO: Replace GAttrib with bt_gatt_client */
bt_hog_attach(dev->hog, attrib);
--
2.24.1
|