From patchwork Thu Mar 14 10:20:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1912059 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TwNhL5zv1z1yWn for ; Thu, 14 Mar 2024 21:21:22 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rkiCs-0005Ff-T8; Thu, 14 Mar 2024 10:21:03 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rkiCj-0005CF-OP for kernel-team@lists.ubuntu.com; Thu, 14 Mar 2024 10:20:53 +0000 Received: from mail-il1-f198.google.com (mail-il1-f198.google.com [209.85.166.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 47D923F1D9 for ; Thu, 14 Mar 2024 10:20:53 +0000 (UTC) Received: by mail-il1-f198.google.com with SMTP id e9e14a558f8ab-36683ec010eso1986075ab.1 for ; Thu, 14 Mar 2024 03:20:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710411651; x=1711016451; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=8iu7GZe170zkD+PI1iKzIu+xkkjxrwAkjPyBKa5F4hs=; b=bmJKc4Eif8i9GgaClDWZgExhVzoknjbt8VWhq+B6RySfDyVuOtaOx23wGo+L/37fyf ODKmpJ/mPmh1gtp8p8odueysqvC6Va41oX4EZt6khErHgcLVJ1VTgoeztfe8i5G/NMCI bgGqAicv93HIl9OwGMMLRXpAW/LdAyJ9tTEV9zLy2vBX/1sz/jSlOcIgkZw7k9yh87vr RjUE6xPmGd6R+0Z0s41lPV9JOto/21pMjIqpERkSVkTz6vQOCFqnZ5TcEYVe9VLxI3He 5kPjGxV4TywGCI/M5+UheCvZPb+kwY4ZpKW2VTJF/CFpJHUN6wiqWobi5nWrFAHqawBN jslA== X-Gm-Message-State: AOJu0Yy+uxmMIF8mNtW6xaJGvsfo02mwQTRDbiM5aD0xzWgfw6MHwCH9 lS/2BgSGHayG9TuNWxRGJ4c/vPNEZVAkIlByv5nfV9mnGlatLBfOCPVYe6RfQ0ZhUf7sSBFTt4F U1MNMny/+L4qeMWUjT/KKWBTTLVREBNgMUFiNWvKzsvZK/XWuMeIiyMbclu5MUAaYmQybmDMpaF oDEbqGniw/bX3iQj4= X-Received: by 2002:a92:dc05:0:b0:365:1578:8c17 with SMTP id t5-20020a92dc05000000b0036515788c17mr1221040iln.2.1710411651764; Thu, 14 Mar 2024 03:20:51 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEsY8kF3QVNF3823+vZ89hKO36cVapbGMHofmJt+xgfsErRQxNYqDbdF3bXIR6ePZ2GdvvVUg== X-Received: by 2002:a92:dc05:0:b0:365:1578:8c17 with SMTP id t5-20020a92dc05000000b0036515788c17mr1221027iln.2.1710411651433; Thu, 14 Mar 2024 03:20:51 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id p6-20020a63ab06000000b005dc89957e06sm333939pgf.71.2024.03.14.03.20.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Mar 2024 03:20:51 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][F/J][PATCH 0/1] CVE-2023-24023 Date: Thu, 14 Mar 2024 06:20:00 -0400 Message-Id: <20240314102002.22662-1-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] BLUFFS attack compromises the forward and future secrecy of a Bluetooth connection through machine-in-the-middle attack and thus hijacks an entire session due to weak protection mechanism caused by insufficient check on encryption key size. This vulnerability possesses high threat to Bluetooth's confidentiality. [Backport] The conflict occurs around a variable called `status`, which is moved from parameter to local variable in 278d933e12f1 ("Bluetooth: Normalize HCI_OP_READ_ENC_KEY_SIZE cmdcmplt"). Missing this commit requires the status variable to be renamed to avoid naming conflict; in this patch, it is renamed to `rp_status`. Two patches share the same backporting idea, but since `git am` complains about Jammy's patch on Focal tree due to context difference (probably because of missing 32b50729d91f ("Bluetooth: don't assume key size is 16 when the command fails")), generating two patches for applying's convinience. [Test] Compile and boot tested. [Where things could go wrong] The change is taking place in the setting up connection part. Alex Lu (1): Bluetooth: Add more enc key size check net/bluetooth/hci_event.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-)