Re: bluez / CVE-2020-0556

To: Brian May <bam@debian.org>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: bluez / CVE-2020-0556
From: Ola Lundqvist <ola@inguza.com>
Date: Tue, 12 May 2020 21:58:03 +0200
Message-id: <[🔎] CABY6=0=hiN-wsqm8fOTq4O0qmiHxYv0qt6tDGbPhHzxyj5200w@mail.gmail.com>
In-reply-to: <[🔎] 87h7wmdtcw.fsf@silverfish.pri>
References: <[🔎] 871rnrcv83.fsf@silverfish.pri> <[🔎] 87h7wmdtcw.fsf@silverfish.pri>

Hi Brian

When looking at this with actually having the patch at hand and not
answering from memory I realize that the reason why I thought that
hog.c would not be affected was that there were no accept function in
the Jessie version. Now when looking at your proposed patch I can see
that connected is probably a similar thing. From that I think your
patch would work quite well.

But I'm not an bluetooth expert so please judge without too much
thinking on what I think. What I can say is that it looks reasonable.

Best regards

// Ola

On Tue, 12 May 2020 at 00:01, Brian May <bam@debian.org> wrote:
>
> Brian May <brian@linuxpenguins.xyz> writes:
>
> > Looking at commit
> > https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7d9718cfcc11eaa9d8059e721301cdc00ef8c82e,
> > it looks like maybe we should be patching the attio_connected_cb()
> > function instead. But this function doesn't appear to have any way to
> > return an error indicating it failed, which seems to be required by the
> > patch. It might be sufficient just to ignore the error and return
> > without immediately if device is not bonded. Not sure how much I can
> > trust this however.
> >
> > My gut feeling to fix this we should backport version 5.43-2+deb9u2 from
> > stretch to Jessie. Yes, this might break stuff, but I suspect just the
> > very basic idea of this security fix - rejecting unbonded connections -
> > could break stuff also.
>
> Thinking this through some more, I struggle to get bluetooth working
> correctly on the latest Debian, let alone testing an older release. I am
> not sure if this is due to hardware or software issues. Not to mention
> the fact I don't have a lot of bluetooth HID devices to test. I am sure
> I had a bluetooth keyboard somewhere...
>
> Is anybody here in a better position then I am to test this? If not,
> this might be another reason to backport the Stretch version...
>
> Regardless, I suspect something like the following patch might be a good
> starting point. Although I am not entirely convinced you can reject a
> connection from the attio_connected_cb function like this...
>
> === cut ====
> diff --git a/profiles/input/hog.c b/profiles/input/hog.c
> index b9aba657a..971fda822 100644
> --- a/profiles/input/hog.c
> +++ b/profiles/input/hog.c
> @@ -654,6 +654,11 @@ static void attio_connected_cb(GAttrib *attrib, gpointer user_data)
>
>         DBG("HoG connected");
>
> +       /* HOGP 1.0 Section 6.1 requires bonding */
> +       if (!device_is_bonded(hogdev, btd_device_get_bdaddr_type(hogdev)))
> +               DBG("HoG not bonded");
> +               return;
> +
>         hogdev->attrib = g_attrib_ref(attrib);
>
>         if (hogdev->reports == NULL) {
> === cut ====
> --
> Brian May <bam@debian.org>
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

References:
- bluez / CVE-2020-0556
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: bluez / CVE-2020-0556
  - From: Brian May <bam@debian.org>

Prev by Date: Re: bluez / CVE-2020-0556
Next by Date: TODO List
Previous by thread: Re: bluez / CVE-2020-0556
Next by thread: Re: bluez / CVE-2020-0556
Index(es):
- Date
- Thread