Bluetooth: Add more enc key size check

From: Bastien Nocera bnocera@redhat.com

Subject: Bluetooth: Add more enc key size check

CVE: CVE-2023-24023

JIRA: https://issues.redhat.com/browse/RHEL-19668

commit 04a342cc49a8522e99c9b3346371c329d841dcd2 Author: Alex Lu alex_lu@realsil.com.cn Date: Tue Dec 12 10:30:34 2023 +0800

Bluetooth: Add more enc key size check

When we are slave role and receives l2cap conn req when encryption has
started, we should check the enc key size to avoid KNOB attack or BLUFFS
attack.
From SIG recommendation, implementations are advised to reject
service-level connections on an encrypted baseband link with key
strengths below 7 octets.
A simple and clear way to achieve this is to place the enc key size
check in hci_cc_read_enc_key_size()

The btmon log below shows the case that lacks enc key size check.

> HCI Event: Connect Request (0x04) plen 10
        Address: BB:22:33:44:55:99 (OUI BB-22-33)
        Class: 0x480104
          Major class: Computer (desktop, notebook, PDA, organizers)
          Minor class: Desktop workstation
          Capturing (Scanner, Microphone)
          Telephony (Cordless telephony, Modem, Headset)
        Link type: ACL (0x01)
< HCI Command: Accept Connection Request (0x01|0x0009) plen 7
        Address: BB:22:33:44:55:99 (OUI BB-22-33)
        Role: Peripheral (0x01)
> HCI Event: Command Status (0x0f) plen 4
      Accept Connection Request (0x01|0x0009) ncmd 2
        Status: Success (0x00)
> HCI Event: Connect Complete (0x03) plen 11
        Status: Success (0x00)
        Handle: 1
        Address: BB:22:33:44:55:99 (OUI BB-22-33)
        Link type: ACL (0x01)
        Encryption: Disabled (0x00)
...

> HCI Event: Encryption Change (0x08) plen 4
        Status: Success (0x00)
        Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
        Encryption: Enabled with E0 (0x01)
< HCI Command: Read Encryption Key Size (0x05|0x0008) plen 2
        Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
> HCI Event: Command Complete (0x0e) plen 7
      Read Encryption Key Size (0x05|0x0008) ncmd 2
        Status: Success (0x00)
        Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
        Key size: 6
// We should check the enc key size
...

> ACL Data RX: Handle 1 flags 0x02 dlen 12
      L2CAP: Connection Request (0x02) ident 3 len 4
        PSM: 25 (0x0019)
        Source CID: 64
< ACL Data TX: Handle 1 flags 0x00 dlen 16
      L2CAP: Connection Response (0x03) ident 3 len 8
        Destination CID: 64
        Source CID: 64
        Result: Connection pending (0x0001)
        Status: Authorization pending (0x0002)
> HCI Event: Number of Completed Packets (0x13) plen 5
        Num handles: 1
        Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
        Count: 1
        #35: len 16 (25 Kb/s)
        Latency: 5 msec (2-7 msec ~4 msec)
< ACL Data TX: Handle 1 flags 0x00 dlen 16
      L2CAP: Connection Response (0x03) ident 3 len 8
        Destination CID: 64
        Source CID: 64
        Result: Connection successful (0x0000)
        Status: No further information available (0x0000)

Cc: stable@vger.kernel.org
Signed-off-by: Alex Lu <alex_lu@realsil.com.cn>
Signed-off-by: Max Chou <max.chou@realtek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Signed-off-by: Bastien Nocera bnocera@redhat.com

Bughook Readiness Report

Nothing to report, this MR is using jira instead of bugzilla.

---

Updated 2024-02-09 08:52 UTC by bughook - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

JIRA Hook Readiness Report

Target Branch: main

This merge request passes jirahook validation: JIRAOK

JIRA Issue tags:

JIRA Issue	CVEs	Commits	Readiness	Policy Check	Notes
RHEL-19668 (IN_PROGRESS)	CVE-2023-24023	37098d55	READY_FOR_MERGE	Passed	-

CVE tags:

CVEs	Priority	Commits	Clones	Readiness	Notes
CVE-2023-24023	Medium	37098d55	N/A	READY_FOR_MERGE	-

Linked JIRA Issues:

JIRA Issue	CVEs	Component	Readiness	Policy Check	Notes
RHEL-19669 (IN_PROGRESS)	CVE-2023-24023	kernel-rt	READY_FOR_MERGE	Passed	-

Guidelines for these entries can be found in CommitRules: https://red.ht/kwf_commit_rules.
To request re-evalution either remove the JIRA label from the MR or add a comment with only the text: request-jirahook-evaluation.

---

Updated 2024-02-17 15:23 UTC by jirahook - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

added Subsystem:bluetooth label

added DependenciesOK label

added SignoffOK label

added FixesOK label

added JIRANeedsReview label

added BugzillaOK label

DCO Signoff Check Report SignoffOK

The DCO Signoff Check for all commits and the MR description has PASSED.

---

Updated 2024-02-09 08:52 UTC by signoff - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

changed milestone to %RHEL-9.4.0

changed milestone to %RHEL-9.4.0

Fixes Status: FixesOK No missing upstream fixes for MR 3732 found at this time.

---

Updated 2024-02-17 06:46 UTC by fixes - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

added CKIMissing CKI_64kMissing CKI_AutomotiveMissing CKI_CentOSMissing CKI_RHELMissing CKI_RTMissing labels

CKI Pipelines Status: CKIOK

Blocking pipelines

Successful pipelines

These pipelines have been completed successfully or have been waived.

• CKI_CentOSOK c9s_merge_request was successful.
• CKI_RHELOK c9s_rhel9_compat_merge_request was successful.
• CKI_RTOK c9s_rt_merge_request was successful.
• CKI_64kOK c9s_64k_merge_request was successful.

Non-blocking pipelines

Successful pipelines

These pipelines have been completed successfully or have been waived.

• CKI_AutomotiveOK c9s_automotive_check_merge_request was successful.

---

Updated 2024-02-09 08:52 UTC by ckihook - CKI FAQ - Slack #team-kernel-cki - Source - Documentation - Report an issue

added CKIRunning CKI_64kRunning CKI_AutomotiveRunning CKI_CentOSRunning CKI_RHELRunning CKI_RTRunning labels and removed CKIMissing CKI_64kMissing CKI_AutomotiveMissing CKI_CentOSMissing CKI_RHELMissing CKI_RTMissing labels

added CommitRefsOK label

Upstream Commit ID Readiness Report: CommitRefsOK

This report indicates how backported commits compare to the upstream source commit. Matching (or not matching) is not a guarantee of correctness. KABI, missing or un-backportable dependencies, or existing RHEL differences against upstream may lead to a difference in commits. As always, care should be taken in the review to ensure code correctness.

Total number of commits analyzed: 1
Merge Request passes commit ID validation, references all present.

---

Updated 2024-02-09 08:53 UTC by commit_compare - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

added 1 commit

• 37098d55 - Bluetooth: Add more enc key size check

Compare with previous version

changed the description

added JIRAPlanning label and removed JIRANeedsReview label