Bluetooth: Reject connection with the device which has same BD_ADDR

commit 1ffc6f8cc33268731fcf9629fc4438f6db1191fc upstream.

This change is used to relieve CVE-2020-26555. The description of
the CVE:

Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
1.0B through 5.2 may permit an unauthenticated nearby device to spoof
the BD_ADDR of the peer device to complete pairing without knowledge
of the PIN. [1]

The detail of this attack is in IEEE paper:
BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
[2]

It's a reflection attack. The paper mentioned that attacker can induce
the attacked target to generate null link key (zero key) without PIN
code. In BR/EDR, the key generation is actually handled in the controller
which is below HCI.

A condition of this attack is that attacker should change the
BR_ADDR of his hacking device (Host B) to equal to the BR_ADDR with
the target device being attacked (Host A).

Thus, we reject the connection with device which has same BD_ADDR
both on HCI_Create_Connection and HCI_Connection_Request to prevent
the attack. A similar implementation also shows in btstack project.
[3][4]

Cc: stable@vger.kernel.org
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555
Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors
Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523
Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 61059571c8779281b3e4277601fe02a314dc7aec..f8ba3f5aa877b2da29a4b507dbed235f15587a76 100644 (file)
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1583,6 +1583,15 @@ struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
                return ERR_PTR(-EOPNOTSUPP);
        }
 
+       /* Reject outgoing connection to device with same BD ADDR against
+        * CVE-2020-26555
+        */
+       if (!bacmp(&hdev->bdaddr, dst)) {
+               bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
+                          dst);
+               return ERR_PTR(-ECONNREFUSED);
+       }
+
        acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
        if (!acl) {
                acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 755c22910821cf0dd98457bf9d10b91e62391be0..399d89fbc5dcb60ac288a419bf26ba2d96a1682d 100644 (file)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3277,6 +3277,17 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
 
        bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
 
+       /* Reject incoming connection from device with same BD ADDR against
+        * CVE-2020-26555
+        */
+       if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
+       {
+               bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
+                          &ev->bdaddr);
+               hci_reject_conn(hdev, &ev->bdaddr);
+               return;
+       }
+
        mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
                                      &flags);