GNU bug report logs - #40044
BlueZ CVE-2020-0556

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 40044 in the body.
You can then email your comments to 40044 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: BlueZ CVE-2020-0556
Date: Thu, 12 Mar 2020 15:24:14 -0400

There's some kind of privilege escalation bug in BlueZ:

https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm <at> chromium.org/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html

They released 5.53, so here are patches that graft the update or graft
just the upstream patches.

Message #8 received at 40044 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 40044 <at> debbugs.gnu.org
Subject: [PATCH] gnu: BlueZ: Fix CVE-2020-0556.
Date: Thu, 12 Mar 2020 15:28:59 -0400

* gnu/packages/patches/bluez-CVE-2020-0556.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/linux.scm (bluez)[replacement]: New field.
(bluez/fixed): New variable.
---
 gnu/local.mk                                  |   1 +
 gnu/packages/linux.scm                        |   9 +
 .../patches/bluez-CVE-2020-0556.patch         | 180 ++++++++++++++++++
 3 files changed, 190 insertions(+)
 create mode 100644 gnu/packages/patches/bluez-CVE-2020-0556.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 99baddea92..8e312e24e7 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -763,6 +763,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/binutils-loongson-workaround.patch	\
   %D%/packages/patches/blender-2.79-newer-ffmpeg.patch		\
   %D%/packages/patches/blender-2.79-python-3.7-fix.patch	\
+  %D%/packages/patches/bluez-CVE-2020-0556.patch		\
   %D%/packages/patches/byobu-writable-status.patch		\
   %D%/packages/patches/calibre-no-updates-dialog.patch		\
   %D%/packages/patches/calibre-remove-test-bs4.patch		\
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 01986222e8..0e84a1750e 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3994,6 +3994,7 @@ Bluetooth audio output devices like headphones or loudspeakers.")
 (define-public bluez
   (package
     (name "bluez")
+    (replacement bluez/fixed)
     (version "5.52")
     (source (origin
               (method url-fetch)
@@ -4059,6 +4060,14 @@ Bluetooth audio output devices like headphones or loudspeakers.")
 is flexible, efficient and uses a modular implementation.")
     (license license:gpl2+)))
 
+(define bluez/fixed
+  (package
+    (inherit bluez)
+    (source (origin
+              (inherit (package-source bluez))
+              (patches (append (origin-patches (package-source bluez))
+                               (search-patches "bluez-CVE-2020-0556.patch")))))))
+
 (define-public fuse-exfat
   (package
     (name "fuse-exfat")
diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch
new file mode 100644
index 0000000000..7c34459a3a
--- /dev/null
+++ b/gnu/packages/patches/bluez-CVE-2020-0556.patch
@@ -0,0 +1,180 @@
+Fix CVE-2020-0556:
+
+https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm <at> chromium.org/
+https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556
+
+Patches copied from upstream source repository:
+
+https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
+https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
+
+From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001
+From: Alain Michaud <alainm <at> chromium.org>
+Date: Tue, 10 Mar 2020 02:35:18 +0000
+Subject: [PATCH] HID accepts bonded device connections only.
+
+This change adds a configuration for platforms to choose a more secure
+posture for the HID profile.  While some older mice are known to not
+support pairing or encryption, some platform may choose a more secure
+posture by requiring the device to be bonded  and require the
+connection to be encrypted when bonding is required.
+
+Reference:
+https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
+---
+ profiles/input/device.c   | 23 ++++++++++++++++++++++-
+ profiles/input/device.h   |  1 +
+ profiles/input/input.conf |  8 ++++++++
+ profiles/input/manager.c  | 13 ++++++++++++-
+ 4 files changed, 43 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 2cb3811c8..d89da2d7c 100644
+--- a/profiles/input/device.c
++++ b/profiles/input/device.c
+@@ -92,6 +92,7 @@ struct input_device {
+ 
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
++static bool classic_bonded_only = false;
+ 
+ void input_set_idle_timeout(int timeout)
+ {
+@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
+ 	uhid_enabled = state;
+ }
+ 
++void input_set_classic_bonded_only(bool state)
++{
++	classic_bonded_only = state;
++}
++
+ static void input_device_enter_reconnect_mode(struct input_device *idev);
+ static int connection_disconnect(struct input_device *idev, uint32_t flags);
+ 
+@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
+ 	if (device_name_known(idev->device))
+ 		device_get_name(idev->device, req->name, sizeof(req->name));
+ 
++	/* Make sure the device is bonded if required */
++	if (classic_bonded_only && !device_is_bonded(idev->device,
++				btd_device_get_bdaddr_type(idev->device))) {
++		error("Rejected connection from !bonded device %s", dst_addr);
++		goto cleanup;
++	}
++
+ 	/* Encryption is mandatory for keyboards */
+-	if (req->subclass & 0x40) {
++	/* Some platforms may choose to require encryption for all devices */
++	/* Note that this only matters for pre 2.1 devices as otherwise the */
++	/* device is encrypted by default by the lower layers */
++	if (classic_bonded_only || req->subclass & 0x40) {
+ 		if (!bt_io_set(idev->intr_io, &gerr,
+ 					BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
+ 					BT_IO_OPT_INVALID)) {
+@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
+ 	DBG("path=%s reconnect_mode=%s", idev->path,
+ 				reconnect_mode_to_string(idev->reconnect_mode));
+ 
++	/* Make sure the device is bonded if required */
++	if (classic_bonded_only && !device_is_bonded(idev->device,
++				btd_device_get_bdaddr_type(idev->device)))
++		return;
++
+ 	/* Only attempt an auto-reconnect when the device is required to
+ 	 * accept reconnections from the host.
+ 	 */
+diff --git a/profiles/input/device.h b/profiles/input/device.h
+index 51a9aee18..3044db673 100644
+--- a/profiles/input/device.h
++++ b/profiles/input/device.h
+@@ -29,6 +29,7 @@ struct input_conn;
+ 
+ void input_set_idle_timeout(int timeout);
+ void input_enable_userspace_hid(bool state);
++void input_set_classic_bonded_only(bool state);
+ 
+ int input_device_register(struct btd_service *service);
+ void input_device_unregister(struct btd_service *service);
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 3e1d65aae..166aff4a4 100644
+--- a/profiles/input/input.conf
++++ b/profiles/input/input.conf
+@@ -11,3 +11,11 @@
+ # Enable HID protocol handling in userspace input profile
+ # Defaults to false (HIDP handled in HIDP kernel module)
+ #UserspaceHID=true
++
++# Limit HID connections to bonded devices
++# The HID Profile does not specify that devices must be bonded, however some
++# platforms may want to make sure that input connections only come from bonded
++# device connections. Several older mice have been known for not supporting
++# pairing/encryption.
++# Defaults to false to maximize device compatibility.
++#ClassicBondedOnly=true
+diff --git a/profiles/input/manager.c b/profiles/input/manager.c
+index 1d31b0652..5cd27b839 100644
+--- a/profiles/input/manager.c
++++ b/profiles/input/manager.c
+@@ -96,7 +96,7 @@ static int input_init(void)
+ 	config = load_config_file(CONFIGDIR "/input.conf");
+ 	if (config) {
+ 		int idle_timeout;
+-		gboolean uhid_enabled;
++		gboolean uhid_enabled, classic_bonded_only;
+ 
+ 		idle_timeout = g_key_file_get_integer(config, "General",
+ 							"IdleTimeout", &err);
+@@ -114,6 +114,17 @@ static int input_init(void)
+ 			input_enable_userspace_hid(uhid_enabled);
+ 		} else
+ 			g_clear_error(&err);
++
++		classic_bonded_only = g_key_file_get_boolean(config, "General",
++						"ClassicBondedOnly", &err);
++
++		if (!err) {
++			DBG("input.conf: ClassicBondedOnly=%s",
++					classic_bonded_only ? "true" : "false");
++			input_set_classic_bonded_only(classic_bonded_only);
++		} else
++			g_clear_error(&err);
++
+ 	}
+ 
+ 	btd_profile_register(&input_profile);
+-- 
+2.25.1
+
+From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001
+From: Alain Michaud <alainm <at> chromium.org>
+Date: Tue, 10 Mar 2020 02:35:16 +0000
+Subject: [PATCH] HOGP must only accept data from bonded devices.
+
+HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
+
+Reference:
+https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
+---
+ profiles/input/hog.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/profiles/input/hog.c b/profiles/input/hog.c
+index 83c017dcb..dfac68921 100644
+--- a/profiles/input/hog.c
++++ b/profiles/input/hog.c
+@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
+ 			return -EINVAL;
+ 	}
+ 
++	/* HOGP 1.0 Section 6.1 requires bonding */
++	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
++		return -ECONNREFUSED;
++
+ 	/* TODO: Replace GAttrib with bt_gatt_client */
+ 	bt_hog_attach(dev->hog, attrib);
+ 
+-- 
+2.25.1
+
-- 
2.25.1

Message #11 received at 40044 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 40044 <at> debbugs.gnu.org
Subject: [PATCH] gnu: BlueZ: Update to 5.53 [security fixes].
Date: Thu, 12 Mar 2020 15:29:40 -0400

Apparently this fixes a privilege escalation bug:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html

* gnu/packages/linux.scm (bluez-5.53): New variable.
(bluez)[replacement]: New field.
---
 gnu/packages/linux.scm | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 01986222e8..61b02591a4 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3995,6 +3995,7 @@ Bluetooth audio output devices like headphones or loudspeakers.")
   (package
     (name "bluez")
     (version "5.52")
+    (replacement bluez-5.53)
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -4059,6 +4060,19 @@ Bluetooth audio output devices like headphones or loudspeakers.")
 is flexible, efficient and uses a modular implementation.")
     (license license:gpl2+)))
 
+(define bluez-5.53
+  (package
+    (inherit bluez)
+    (version "5.53")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "mirror://kernel.org/linux/bluetooth/bluez-"
+                    version ".tar.xz"))
+              (sha256
+               (base32
+                "1g1qg6dz6hl3csrmz75ixr12lwv836hq3ckb259svvrg62l2vaiq"))))))
+
 (define-public fuse-exfat
   (package
     (name "fuse-exfat")
-- 
2.25.1

Message #14 received at 40044 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 40044 <at> debbugs.gnu.org
Subject: Re: [PATCH] gnu: BlueZ: Update to 5.53 [security fixes].
Date: Fri, 13 Mar 2020 12:26:18 -0400

On Thu, Mar 12, 2020 at 03:29:40PM -0400, Leo Famulari wrote:
> Apparently this fixes a privilege escalation bug:
> 
> https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
> 
> * gnu/packages/linux.scm (bluez-5.53): New variable.
> (bluez)[replacement]: New field.

Intel and I were mistaken — the bug fix is not included in the 5.53
release. So this patch should be disregarded.

Message #19 received at 40044-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 40044-done <at> debbugs.gnu.org
Subject: Re: [PATCH] gnu: BlueZ: Fix CVE-2020-0556.
Date: Fri, 13 Mar 2020 19:25:39 -0400

On Thu, Mar 12, 2020 at 03:28:59PM -0400, Leo Famulari wrote:
> * gnu/packages/patches/bluez-CVE-2020-0556.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/linux.scm (bluez)[replacement]: New field.
> (bluez/fixed): New variable.

Pushed as 364a1374ad5e04a91cdc29203f0c8073eede72d4. Thanks nckx for
testing!

> ---
>  gnu/local.mk                                  |   1 +
>  gnu/packages/linux.scm                        |   9 +
>  .../patches/bluez-CVE-2020-0556.patch         | 180 ++++++++++++++++++
>  3 files changed, 190 insertions(+)
>  create mode 100644 gnu/packages/patches/bluez-CVE-2020-0556.patch
> 
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 99baddea92..8e312e24e7 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -763,6 +763,7 @@ dist_patch_DATA =						\
>    %D%/packages/patches/binutils-loongson-workaround.patch	\
>    %D%/packages/patches/blender-2.79-newer-ffmpeg.patch		\
>    %D%/packages/patches/blender-2.79-python-3.7-fix.patch	\
> +  %D%/packages/patches/bluez-CVE-2020-0556.patch		\
>    %D%/packages/patches/byobu-writable-status.patch		\
>    %D%/packages/patches/calibre-no-updates-dialog.patch		\
>    %D%/packages/patches/calibre-remove-test-bs4.patch		\
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index 01986222e8..0e84a1750e 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -3994,6 +3994,7 @@ Bluetooth audio output devices like headphones or loudspeakers.")
>  (define-public bluez
>    (package
>      (name "bluez")
> +    (replacement bluez/fixed)
>      (version "5.52")
>      (source (origin
>                (method url-fetch)
> @@ -4059,6 +4060,14 @@ Bluetooth audio output devices like headphones or loudspeakers.")
>  is flexible, efficient and uses a modular implementation.")
>      (license license:gpl2+)))
>  
> +(define bluez/fixed
> +  (package
> +    (inherit bluez)
> +    (source (origin
> +              (inherit (package-source bluez))
> +              (patches (append (origin-patches (package-source bluez))
> +                               (search-patches "bluez-CVE-2020-0556.patch")))))))
> +
>  (define-public fuse-exfat
>    (package
>      (name "fuse-exfat")
> diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch
> new file mode 100644
> index 0000000000..7c34459a3a
> --- /dev/null
> +++ b/gnu/packages/patches/bluez-CVE-2020-0556.patch
> @@ -0,0 +1,180 @@
> +Fix CVE-2020-0556:
> +
> +https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm <at> chromium.org/
> +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
> +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556
> +
> +Patches copied from upstream source repository:
> +
> +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
> +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
> +
> +From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001
> +From: Alain Michaud <alainm <at> chromium.org>
> +Date: Tue, 10 Mar 2020 02:35:18 +0000
> +Subject: [PATCH] HID accepts bonded device connections only.
> +
> +This change adds a configuration for platforms to choose a more secure
> +posture for the HID profile.  While some older mice are known to not
> +support pairing or encryption, some platform may choose a more secure
> +posture by requiring the device to be bonded  and require the
> +connection to be encrypted when bonding is required.
> +
> +Reference:
> +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
> +---
> + profiles/input/device.c   | 23 ++++++++++++++++++++++-
> + profiles/input/device.h   |  1 +
> + profiles/input/input.conf |  8 ++++++++
> + profiles/input/manager.c  | 13 ++++++++++++-
> + 4 files changed, 43 insertions(+), 2 deletions(-)
> +
> +diff --git a/profiles/input/device.c b/profiles/input/device.c
> +index 2cb3811c8..d89da2d7c 100644
> +--- a/profiles/input/device.c
> ++++ b/profiles/input/device.c
> +@@ -92,6 +92,7 @@ struct input_device {
> + 
> + static int idle_timeout = 0;
> + static bool uhid_enabled = false;
> ++static bool classic_bonded_only = false;
> + 
> + void input_set_idle_timeout(int timeout)
> + {
> +@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
> + 	uhid_enabled = state;
> + }
> + 
> ++void input_set_classic_bonded_only(bool state)
> ++{
> ++	classic_bonded_only = state;
> ++}
> ++
> + static void input_device_enter_reconnect_mode(struct input_device *idev);
> + static int connection_disconnect(struct input_device *idev, uint32_t flags);
> + 
> +@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
> + 	if (device_name_known(idev->device))
> + 		device_get_name(idev->device, req->name, sizeof(req->name));
> + 
> ++	/* Make sure the device is bonded if required */
> ++	if (classic_bonded_only && !device_is_bonded(idev->device,
> ++				btd_device_get_bdaddr_type(idev->device))) {
> ++		error("Rejected connection from !bonded device %s", dst_addr);
> ++		goto cleanup;
> ++	}
> ++
> + 	/* Encryption is mandatory for keyboards */
> +-	if (req->subclass & 0x40) {
> ++	/* Some platforms may choose to require encryption for all devices */
> ++	/* Note that this only matters for pre 2.1 devices as otherwise the */
> ++	/* device is encrypted by default by the lower layers */
> ++	if (classic_bonded_only || req->subclass & 0x40) {
> + 		if (!bt_io_set(idev->intr_io, &gerr,
> + 					BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
> + 					BT_IO_OPT_INVALID)) {
> +@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
> + 	DBG("path=%s reconnect_mode=%s", idev->path,
> + 				reconnect_mode_to_string(idev->reconnect_mode));
> + 
> ++	/* Make sure the device is bonded if required */
> ++	if (classic_bonded_only && !device_is_bonded(idev->device,
> ++				btd_device_get_bdaddr_type(idev->device)))
> ++		return;
> ++
> + 	/* Only attempt an auto-reconnect when the device is required to
> + 	 * accept reconnections from the host.
> + 	 */
> +diff --git a/profiles/input/device.h b/profiles/input/device.h
> +index 51a9aee18..3044db673 100644
> +--- a/profiles/input/device.h
> ++++ b/profiles/input/device.h
> +@@ -29,6 +29,7 @@ struct input_conn;
> + 
> + void input_set_idle_timeout(int timeout);
> + void input_enable_userspace_hid(bool state);
> ++void input_set_classic_bonded_only(bool state);
> + 
> + int input_device_register(struct btd_service *service);
> + void input_device_unregister(struct btd_service *service);
> +diff --git a/profiles/input/input.conf b/profiles/input/input.conf
> +index 3e1d65aae..166aff4a4 100644
> +--- a/profiles/input/input.conf
> ++++ b/profiles/input/input.conf
> +@@ -11,3 +11,11 @@
> + # Enable HID protocol handling in userspace input profile
> + # Defaults to false (HIDP handled in HIDP kernel module)
> + #UserspaceHID=true
> ++
> ++# Limit HID connections to bonded devices
> ++# The HID Profile does not specify that devices must be bonded, however some
> ++# platforms may want to make sure that input connections only come from bonded
> ++# device connections. Several older mice have been known for not supporting
> ++# pairing/encryption.
> ++# Defaults to false to maximize device compatibility.
> ++#ClassicBondedOnly=true
> +diff --git a/profiles/input/manager.c b/profiles/input/manager.c
> +index 1d31b0652..5cd27b839 100644
> +--- a/profiles/input/manager.c
> ++++ b/profiles/input/manager.c
> +@@ -96,7 +96,7 @@ static int input_init(void)
> + 	config = load_config_file(CONFIGDIR "/input.conf");
> + 	if (config) {
> + 		int idle_timeout;
> +-		gboolean uhid_enabled;
> ++		gboolean uhid_enabled, classic_bonded_only;
> + 
> + 		idle_timeout = g_key_file_get_integer(config, "General",
> + 							"IdleTimeout", &err);
> +@@ -114,6 +114,17 @@ static int input_init(void)
> + 			input_enable_userspace_hid(uhid_enabled);
> + 		} else
> + 			g_clear_error(&err);
> ++
> ++		classic_bonded_only = g_key_file_get_boolean(config, "General",
> ++						"ClassicBondedOnly", &err);
> ++
> ++		if (!err) {
> ++			DBG("input.conf: ClassicBondedOnly=%s",
> ++					classic_bonded_only ? "true" : "false");
> ++			input_set_classic_bonded_only(classic_bonded_only);
> ++		} else
> ++			g_clear_error(&err);
> ++
> + 	}
> + 
> + 	btd_profile_register(&input_profile);
> +-- 
> +2.25.1
> +
> +From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001
> +From: Alain Michaud <alainm <at> chromium.org>
> +Date: Tue, 10 Mar 2020 02:35:16 +0000
> +Subject: [PATCH] HOGP must only accept data from bonded devices.
> +
> +HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
> +
> +Reference:
> +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
> +---
> + profiles/input/hog.c | 4 ++++
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/profiles/input/hog.c b/profiles/input/hog.c
> +index 83c017dcb..dfac68921 100644
> +--- a/profiles/input/hog.c
> ++++ b/profiles/input/hog.c
> +@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
> + 			return -EINVAL;
> + 	}
> + 
> ++	/* HOGP 1.0 Section 6.1 requires bonding */
> ++	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
> ++		return -ECONNREFUSED;
> ++
> + 	/* TODO: Replace GAttrib with bt_gatt_client */
> + 	bt_hog_attach(dev->hog, attrib);
> + 
> +-- 
> +2.25.1
> +
> -- 
> 2.25.1
> 

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.