mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-01 06:33:07 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Alex Lu 34c032a72f Bluetooth: Add more enc key size check 
commit 04a342cc49 upstream.

When we are slave role and receives l2cap conn req when encryption has
started, we should check the enc key size to avoid KNOB attack or BLUFFS
attack.
From SIG recommendation, implementations are advised to reject
service-level connections on an encrypted baseband link with key
strengths below 7 octets.
A simple and clear way to achieve this is to place the enc key size
check in hci_cc_read_enc_key_size()

The btmon log below shows the case that lacks enc key size check.

> HCI Event: Connect Request (0x04) plen 10
        Address: BB:22:33:44:55:99 (OUI BB-22-33)
        Class: 0x480104
          Major class: Computer (desktop, notebook, PDA, organizers)
          Minor class: Desktop workstation
          Capturing (Scanner, Microphone)
          Telephony (Cordless telephony, Modem, Headset)
        Link type: ACL (0x01)
< HCI Command: Accept Connection Request (0x01|0x0009) plen 7
        Address: BB:22:33:44:55:99 (OUI BB-22-33)
        Role: Peripheral (0x01)
> HCI Event: Command Status (0x0f) plen 4
      Accept Connection Request (0x01|0x0009) ncmd 2
        Status: Success (0x00)
> HCI Event: Connect Complete (0x03) plen 11
        Status: Success (0x00)
        Handle: 1
        Address: BB:22:33:44:55:99 (OUI BB-22-33)
        Link type: ACL (0x01)
        Encryption: Disabled (0x00)
...

> HCI Event: Encryption Change (0x08) plen 4
        Status: Success (0x00)
        Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
        Encryption: Enabled with E0 (0x01)
< HCI Command: Read Encryption Key Size (0x05|0x0008) plen 2
        Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
> HCI Event: Command Complete (0x0e) plen 7
      Read Encryption Key Size (0x05|0x0008) ncmd 2
        Status: Success (0x00)
        Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
        Key size: 6
// We should check the enc key size
...

> ACL Data RX: Handle 1 flags 0x02 dlen 12
      L2CAP: Connection Request (0x02) ident 3 len 4
        PSM: 25 (0x0019)
        Source CID: 64
< ACL Data TX: Handle 1 flags 0x00 dlen 16
      L2CAP: Connection Response (0x03) ident 3 len 8
        Destination CID: 64
        Source CID: 64
        Result: Connection pending (0x0001)
        Status: Authorization pending (0x0002)
> HCI Event: Number of Completed Packets (0x13) plen 5
        Num handles: 1
        Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
        Count: 1
        #35: len 16 (25 Kb/s)
        Latency: 5 msec (2-7 msec ~4 msec)
< ACL Data TX: Handle 1 flags 0x00 dlen 16
      L2CAP: Connection Response (0x03) ident 3 len 8
        Destination CID: 64
        Source CID: 64
        Result: Connection successful (0x0000)
        Status: No further information available (0x0000)

Cc: stable@vger.kernel.org
Signed-off-by: Alex Lu <alex_lu@realsil.com.cn>
Signed-off-by: Max Chou <max.chou@realtek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-01-01 12:42:41 +00:00
..
6lowpan
9p 9p: v9fs_listxattr: fix %s null argument warning 2023-11-28 17:19:46 +00:00
802
8021q net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() 2024-01-01 12:42:32 +00:00
appletalk appletalk: Fix Use-After-Free in atalk_ioctl 2023-12-20 17:01:50 +01:00
atm atm: Fix Use-After-Free in do_vcc_ioctl 2023-12-20 17:01:48 +01:00
ax25 ax25: Kconfig: Update link for linux-ax25.org 2023-09-18 12:56:58 +01:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-24 10:51:39 -07:00
bluetooth Bluetooth: Add more enc key size check 2024-01-01 12:42:41 +00:00
bpf bpf: Prevent inlining of bpf_fentry_test7() 2023-08-30 08:36:17 +02:00
bpfilter
bridge netfilter: nf_conntrack_bridge: initialize err to 0 2023-11-28 17:19:52 +00:00
caif
can can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior 2023-10-06 12:54:33 +02:00
ceph libceph: use kernel_connect() 2023-10-09 13:35:24 +02:00
core net: check dev->gso_max_size in gso_features_check() 2024-01-01 12:42:33 +00:00
dcb
dccp dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses. 2023-11-20 11:59:35 +01:00
devlink devlink: Hold devlink lock on health reporter dump get 2023-10-06 15:56:46 -07:00
dns_resolver keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry 2024-01-01 12:42:33 +00:00
dsa
ethernet
ethtool ethtool: don't propagate EOPNOTSUPP from dumps 2023-12-08 08:52:23 +01:00
handshake net/handshake: fix file ref count in handshake_nl_accept_doit() 2023-10-23 10:19:33 -07:00
hsr hsr: Prevent use after free in prp_create_tagged_frame() 2023-11-20 11:59:34 +01:00
ieee802154 sysctl-6.6-rc1 2023-08-29 17:39:15 -07:00
ife net: sched: ife: fix potential use-after-free 2024-01-01 12:42:30 +00:00
ipv4 net: Remove acked SYN flag from packet in the transmit queue correctly 2023-12-20 17:01:49 +01:00
ipv6 net/ipv6: Revert remove expired routes with a separated list of routes 2024-01-01 12:42:33 +00:00
iucv
kcm kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). 2023-09-14 10:43:51 +02:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-18 12:44:56 -07:00
l2tp udp: annotate data-races around udp->encap_type 2023-11-20 11:58:56 +01:00
l3mdev
lapb
llc llc: verify mac len before reading mac header 2023-11-20 11:59:34 +01:00
mac80211 wifi: mac80211: mesh_plink: fix matches_local logic 2024-01-01 12:42:27 +00:00
mac802154
mctp mctp: perform route lookups under a RCU read-side lock 2023-10-10 19:43:22 -07:00
mpls
mptcp mptcp: fix setsockopt(IP_TOS) subflow locking 2023-11-28 17:20:14 +00:00
ncsi Revert ncsi: Propagate carrier gain/loss events to the NCSI controller 2023-11-28 17:20:10 +00:00
netfilter netfilter: nft_set_pipapo: skip inactive elements during set walk 2023-12-13 18:45:35 +01:00
netlabel
netlink drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group 2023-12-13 18:45:10 +01:00
netrom netrom: Deny concurrent connect(). 2023-08-28 06:58:46 +01:00
nfc nfc: nci: fix possible NULL pointer dereference in send_acknowledge() 2023-10-16 17:34:53 -07:00
nsh
openvswitch net/sched: act_ct: Always fill offloading tuple iifidx 2023-11-20 11:59:37 +01:00
packet packet: Move reference count in packet_sock to atomic_long_t 2023-12-13 18:45:23 +01:00
phonet
psample psample: Require 'CAP_NET_ADMIN' when joining "packets" group 2023-12-13 18:45:10 +01:00
qrtr
rds net: prevent address rewrite in kernel_bind() 2023-10-01 19:31:29 +01:00
rfkill net: rfkill: reduce data->mtx scope in rfkill_fop_open 2023-10-11 16:55:10 +02:00
rose net/rose: fix races in rose_kill_by_device() 2024-01-01 12:42:31 +00:00
rxrpc rxrpc: Fix some minor issues with bundle tracing 2023-12-20 17:01:55 +01:00
sched net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table 2023-12-20 17:01:47 +01:00
sctp sctp: update hb timer immediately after users change hb_interval 2023-10-04 17:29:58 -07:00
smc net/smc: fix missing byte order conversion in CLC handshake 2023-12-13 18:45:11 +01:00
strparser
sunrpc SUNRPC: Revert 5f7fc5d69f 2024-01-01 12:42:26 +00:00
switchdev
tipc tipc: Fix kernel-infoleak due to uninitialized TLV value 2023-11-28 17:19:51 +00:00
tls net: tls, update curr on splice as well 2023-12-13 18:45:10 +01:00
unix bpf, sockmap: af_unix stream sockets need to hold ref for pair sock 2023-12-08 08:52:23 +01:00
vmw_vsock vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() 2023-12-20 17:01:50 +01:00
wireless wifi: cfg80211: fix certs build to not depend on file order 2024-01-01 12:42:39 +00:00
x25
xdp xsk: Skip polling event check for unbound socket 2023-12-13 18:45:06 +01:00
xfrm ipsec-2023-10-17 2023-10-17 18:21:13 -07:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c net: prevent address rewrite in kernel_bind() 2023-10-01 19:31:29 +01:00
sysctl_net.c