| Message ID | 20240320185611.385130-1-yuxuan.luo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-24023 | expand |
Acked-by: Jacob Martin <jacob.martin@canonical.com> On 3/20/24 1:56 PM, Yuxuan Luo wrote: > v1 patch deferences rp before it is initialized, this v2 fixes this > issue. > > [Impact] > BLUFFS attack compromises the forward and future secrecy of a Bluetooth > connection through machine-in-the-middle attack and thus hijacks an > entire session due to weak protection mechanism caused by insufficient > check on encryption key size. This vulnerability possesses high threat > to Bluetooth's confidentiality. > > [Backport] > The conflict occurs around a variable called `status`, which is moved > from parameter to local variable in 278d933e12f1 ("Bluetooth: Normalize > HCI_OP_READ_ENC_KEY_SIZE cmdcmplt"). Missing this commit requires the > status variable to be renamed to avoid naming conflict; in this patch, > it is renamed to `rp_status`. > > Two patches share the same backporting idea, but since `git am` > complains about Jammy's patch on Focal tree due to context difference > (probably because of missing 32b50729d91f ("Bluetooth: don't assume key > size is 16 when the command fails")), generating two patches for > applying's convinience. > > [Test] > Compile and boot tested. > > [Where things could go wrong] > The change is taking place in the setting up connection part. > > Alex Lu (1): > Bluetooth: Add more enc key size check > > net/bluetooth/hci_event.c | 18 +++++++++++++++++- > 1 file changed, 17 insertions(+), 1 deletion(-) >
On 20/03/2024 19:56, Yuxuan Luo wrote: > v1 patch deferences rp before it is initialized, this v2 fixes this > issue. > > [Impact] > BLUFFS attack compromises the forward and future secrecy of a Bluetooth > connection through machine-in-the-middle attack and thus hijacks an > entire session due to weak protection mechanism caused by insufficient > check on encryption key size. This vulnerability possesses high threat > to Bluetooth's confidentiality. > > [Backport] > The conflict occurs around a variable called `status`, which is moved > from parameter to local variable in 278d933e12f1 ("Bluetooth: Normalize > HCI_OP_READ_ENC_KEY_SIZE cmdcmplt"). Missing this commit requires the > status variable to be renamed to avoid naming conflict; in this patch, > it is renamed to `rp_status`. > > Two patches share the same backporting idea, but since `git am` > complains about Jammy's patch on Focal tree due to context difference > (probably because of missing 32b50729d91f ("Bluetooth: don't assume key > size is 16 when the command fails")), generating two patches for > applying's convinience. > > [Test] > Compile and boot tested. > > [Where things could go wrong] > The change is taking place in the setting up connection part. > > Alex Lu (1): > Bluetooth: Add more enc key size check > > net/bluetooth/hci_event.c | 18 +++++++++++++++++- > 1 file changed, 17 insertions(+), 1 deletion(-) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 20/03/2024 19:56, Yuxuan Luo wrote: > v1 patch deferences rp before it is initialized, this v2 fixes this > issue. > > [Impact] > BLUFFS attack compromises the forward and future secrecy of a Bluetooth > connection through machine-in-the-middle attack and thus hijacks an > entire session due to weak protection mechanism caused by insufficient > check on encryption key size. This vulnerability possesses high threat > to Bluetooth's confidentiality. > > [Backport] > The conflict occurs around a variable called `status`, which is moved > from parameter to local variable in 278d933e12f1 ("Bluetooth: Normalize > HCI_OP_READ_ENC_KEY_SIZE cmdcmplt"). Missing this commit requires the > status variable to be renamed to avoid naming conflict; in this patch, > it is renamed to `rp_status`. > > Two patches share the same backporting idea, but since `git am` > complains about Jammy's patch on Focal tree due to context difference > (probably because of missing 32b50729d91f ("Bluetooth: don't assume key > size is 16 when the command fails")), generating two patches for > applying's convinience. > > [Test] > Compile and boot tested. > > [Where things could go wrong] > The change is taking place in the setting up connection part. > > Alex Lu (1): > Bluetooth: Add more enc key size check > > net/bluetooth/hci_event.c | 18 +++++++++++++++++- > 1 file changed, 17 insertions(+), 1 deletion(-) > Applied to jammy, focal master-next branches. Thanks!
v1 patch deferences rp before it is initialized, this v2 fixes this issue. [Impact] BLUFFS attack compromises the forward and future secrecy of a Bluetooth connection through machine-in-the-middle attack and thus hijacks an entire session due to weak protection mechanism caused by insufficient check on encryption key size. This vulnerability possesses high threat to Bluetooth's confidentiality. [Backport] The conflict occurs around a variable called `status`, which is moved from parameter to local variable in 278d933e12f1 ("Bluetooth: Normalize HCI_OP_READ_ENC_KEY_SIZE cmdcmplt"). Missing this commit requires the status variable to be renamed to avoid naming conflict; in this patch, it is renamed to `rp_status`. Two patches share the same backporting idea, but since `git am` complains about Jammy's patch on Focal tree due to context difference (probably because of missing 32b50729d91f ("Bluetooth: don't assume key size is 16 when the command fails")), generating two patches for applying's convinience. [Test] Compile and boot tested. [Where things could go wrong] The change is taking place in the setting up connection part. Alex Lu (1): Bluetooth: Add more enc key size check net/bluetooth/hci_event.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-)